XSS Terminator: Content Security Policy (CSP)

XSS Terminator: Content Security Policy (CSP)
Content Security Policy (CSP) Introduction

The traditional web security should mainly be the same origin policy ). Website A's Code cannot access website B's data. Each domain is isolated from other domains and creates A security sandbox for developers. In theory, this is a very clever practice, but in practice, attackers use various tricks to overturn this protection.

XSS attackers inject malicious code into the conventional data of the website, so that they can bypass the same source policy of the browser. The browser believes all the code from the security domain. XSS Cheat Sheet is an old but representative attack method. Once the attacker successfully injects the code, the Game is basically Over, and the user data is undoubtedly leaked. We are eager to prevent such attacks.

This tutorial points out a brand new defense method: Content Security Policy (CSP), which is a brand new active defense system provided by html5. CSP can effectively reduce XSS attacks, of course, browser support is required first.

Whitelist

The main problem with browsers is that they cannot distinguish whether scripts are from their own applications or malicious injection by third-party attackers, which is precisely exploited by attackers. For example, Google's+ 1The button will load and execute a script from the https://apis.google.com/js/plusone.js that we trust, but we cannot expect the browser to differentiate scripts from api.google.com from safe, insecure from apis.evil.example.com. All files are downloaded and executed by the browser. CSP defines the Content-Security-Policy HTTP header to create a source whitelist for your Content. The browser only allows resource and code execution in the whitelist domain. In this way, even if the attacker finds a vulnerability injection script, the script cannot be executed even if it is not in the whitelist.

In the previous example, we continue to explain that we trust the api.google.com code and we can define our protocol in this way.

Content-Security-Policy: script-src 'self' https://apis.google.com

So easy, as the name suggests, script-src controls the script label-related policy, in the above example, we specify the 'self 'and https://apis.google.com as his value, the browser only downloads and executes scripts for the domain and https://apis.google.com.

If there are other scripts, the browser will throw the following exception. Attackers can only get the following results if they inject the script:

Policy supports multiple resources

In addition to script resources, CSP also provides multiple commands to control the loading of various resources. The usage is similar to that of script-src. Let's take a quick look at these commands:

• Connect-src

Restrict the use of XHR, WebSockets, and EventSource connection sources.

• Font-src

Download source of the specified font.

• Frame-src

Specifies the Connection source that the frame can embed.

• Img-src

Specifies the image loading source.

• Media-src

Specifies the video and audio data sources.

• Object-src

Specify the Connection source of Flash and Other plug-ins.

• Style-src

Specify the link connection source. Similar to script-src.

By default, if you do not specify the value of these commands, all sources are allowed, such as font-src: *, which is equivalent to not writing font-src.

You can also override the default value, as long as you use default-src. For example, if default-src: https://example.com is specified but font-src is not specified, your font-src can only be loaded from the https://example.com. In the previous example, only script-src is specified, which means that image, font and other resources can be loaded from anywhere else.

You can specify multiple or one command for your web application. You only need to list these values in the HTTP header. Different values are separated. But if you write a script-src https://host1.com; script-src: https://host2.com, the Second script-src won't work, and the correct way is: script-src https://host1.com https://host2.com.

Another example: if all your static resources come from one CDN, And you know there will be no frame or other plug-ins. You can write

Content-Security-Policy: default-src https://cdn.example.net; frame-src 'none'; object-src: 'none'

Detailed Implementation

X-WebKit-CSP and X-Content-Security-Policy are all previous HTTP headers. In modern browsers (except IE, all Content-Security-Policy headers with no prefix are supported.

The CSP Policy requires that each page request carry the Content-Security-Policy header, which provides a lot of flexibility. You can even determine when to add the CSP Policy based on the conditions and when not.

The source list of the Protocol is also flexible, you can specify the Protocol (data:, https :), or only specify the host name :( example.com, allow any protocol, any port), or full limit (https://example.com: 443 ). You can even use wildcards,://.Example.com: *, matches any subdomain of example, any protocol and port,Note: wildcard characters are not allowed for example.com..

The following four keywords can also be used in the source list:

• 'None'

None match.

• 'Self'

Matches the current domain, excluding subdomains.

• 'Unsafe-inline'

Allow inline JavaScript and CSS.

• 'Unsafe-eval'

Allows execution of eval, new Function, and so on.

These keywords need to be referenced in single quotes. If they are not referenced, they will be considered as domain names.

Sandbox

The sandbox is also worth mentioning. The role of a sandbox is a little different. It is mainly used to limit what operations a page can do, rather than what resources can be loaded. If the sandbox command is specified, the page will be treated as an iframe page: it must be the same source, and form submission is prohibited. These contents are beyond the scope of this article. For details, visit the following link: "sandboxing flag set" section of the HTML5 spec.

Inline code is risky

CSP is based on a whitelist. This method clearly identifies which resources are recognized and which cannot. However, this method cannot solve a major problem: inline Script Injection. If attackers can inject a script:

<script>sendMyDataToEvilDotCom();</script>

The browser has no mechanism to distinguish between rational code and malicious code. CSP can solve this problem:Disable all inline scripts. It includes not only the values in the <script> label, but also the inline events and javascript: [CODE] methods. If your CODE is written in this way, you need to make some changes.

For example:

<script>    function doAmazingThings(){        alert('YOU ARE AMAZING');           }</script><button onclick="doAmazingThings();">AM I amazing?</button>

Change

<!-- amazing.html --><script src='amazing.js'></script><button id='amazing'>Am I amazing?</button>

// amazing.jsfunction doAmazingThings() {  alert('YOU AM AMAZING!');}document.addEventListener('DOMContentReady', function () {  document.getElementById('amazing')          .addEventListener('click', doAmazingThings);});

The rewritten code is more compliant with the standard, and CSP can also run well. External resources can be better cached and compressed. This is a good coding habit.

Inline style has the same processing method.

If you are determined to use an inline script or style, you can use 'unsafe-inline' as the values of script-src and style-src, but we do not recommend this. Disabling inline scripts and styles is a security mechanism provided by CSP and a compromise worth making.

Eval

Although attackers cannot directly inject scripts, attackers may use strings to confuse them with other browsers, such as setInterval ([string],...). it may eventually lead to execution of some malicious attack code. The CSP's method to avoid compromise risks is to completely disable it.

• Use native JSON. parse to avoid using eval

Native JSON. parse is absolutely secure, and all browsers except IE8 and earlier support it.

• Override setTimeout

    setTimeout("document.querySelector('a').style.display='none';",10);

  Rewrite

    setTimeout(function(){      document.querySelector('a').style.display = 'none';  },10);

• Avoid running template tools

  Many template libraries use new Function () to accelerate the generation of runtime templates. Although this practice is very good, it brings risks. Some databases support CSPs without new functions and downgrade to versions without eval.

If the template you use supports Handlebars, it will be faster and safer than the fastest runtime compilation template. Similarly, if you must use this text-to-javascript method, add 'unsafe-eval' to script-src. Not enough.

Reporting

CSP is a good mechanism to prevent untrusted resources from being executed on the client, but it will be even better if some reports can be returned to the server. In this way, you can immediately locate some attacks and injections. Report-uri allows you to specify an address.

Content-Security-Policy: default-src 'self'; report-uri /my_amazing_csp_report_parser;

The report content is as follows:

{  "csp-report": {    "document-uri": "http://example.org/page.html",    "referrer": "http://evil.example.com/",    "blocked-uri": "http://evil.example.com/evil.js",    "violated-directive": "script-src 'self' https://apis.google.com",    "original-policy": "script-src 'self' https://apis.google.com; report-uri http://example.org/my_amazing_csp_report_parser"  }}

The report contains a large amount of information to help you locate the attack, including the page where the attack occurred, referer, block-uri, And the violating policies and your defined policies.

Report-Only

Content-Security-Policy-Report-Only: default-src 'self'; ...; report-uri /my_amazing_csp_report_parser;

In this way, only one report is sent to the background without stopping scripts and other resources.

Actual use

CSP is well supported in Chrome 16 +, Safari 6 +, and Firefox 4 +. Partially supported on IE10. Twitter's case study and Facebook are both commercially available.

Use Case #1: Social media widgets

• Google's+ 1 buttonIncludes a section from the https://apis.google.com, and an embedded iframe from the https://plusone.google.com. A basic policy is: script-src https://apis.google.com; frame-src https://plusone.google.com.

• Facebook'sLike buttonThere are multiple implementation methods. I recommend using iframe.

    frame-src https://facebook.com

The default iframe of facebook is // facebook.com by default. Please Use https as shown. If you do not need to use https as much as possible.

Use Case #2 Lockdown

If you are building a bank website, you must ensure that all resources except your own scripts are strictly prohibited from being executed. First, you can use default-src 'none '.

Bank pictures, styles and scripts are from CDN: https://cdn.mybank.net, and XHR to https://api.mybank.com/will pull a lot of data, Frame is also used, but only load the page of the domain, no third domain. There is no flash or fonts on the website. A strict CSP can be written as follows:

Content-Security-Policy: default-src 'none'; script-src https://cdn.mybank.net; style-src https://cdn.mybank.net; img-src https://cdn.mybank.net; connect-src https://api.mybank.com; frame-src 'self'

Use Case #3 SSL Only

The administrator of a wedding ring forum wants to ensure that all resources are loaded by using ssl, but it is unrealistic to change all of them because they have a large number of inline scripts. We can design the following rules:

Content-Security-Policy: default-src https; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'

Future

Content Security Policy 1.0 is W3C Candidate Recommendation, which is quickly implemented by the browser. W3C is currently drafting new features of Content Security Policy 1.1 worth noting:

• Supports inline script and style

Although we should try to avoid using inline scripts and styles, we still need to take into account the existing site, so 1.1 using nouces and hashes is safe to ensure inline scripts and styles.

• The policy can be added using meta.

Support adding meta tags to CSP policies

<meta http-equiv="Content-Security-Policy" content="[POLICY GOES HERE]">

You can even use javascript to inject a meta CSP policy.

• DOM APIs

In the future, you will be able to use javascript to query and modify CSP policies. You can specify different policies to deal with different situations.

• New commands

Some new commands will be added, including: plugin-types restricts that the plug-in can load the MIME type. Form-action form submission target address limit.

This article is alan's translation, original article link: http://www.html5rocks.com/en/tutorials/security/content-security-policy/