Content Security Policy

Source: Internet
Author: User

This document describes W3C Content Security Policy (CSP. As the name suggests, this specification is related to content security. It is mainly used to define the resources that can be loaded on a page to reduce the occurrence of XSS.

Chrome extension has introduced CSP, which is defined by the content_security_policy field in manifest. json. Some modern browsers also support defining CSPs through response headers. The following describes how to use CSP through the response header. For details about how to use CSP in Chrome extension, refer to the official Chrome documentation.

Browser compatibility

Early Chrome supports CSP through X-WebKit-CSP response headers, while firefox and IE support X-Content-Security-Policy, chrome 25 and Firefox23 start to support standard Content-Security-Policy, as shown in the following table.

Response Header Chrome Firefox Safari IE
Content-Security-Policy 25 + 23 + - -
X-Content-Security-Policy - 4.0 + - 10.0 (limited)
X-Webkit-CSP 14 + - 6 + -

For more information about CSP support in the browser, see CanIUse.

How to Use

To use CSP, you only need the server to output a response header similar to this:

 
Content-Security-Policy: default-src 'self'

Default-src is a CSP command. Multiple commands are separated by semicolons. 'self 'is the command value. Multiple command values are separated by spaces. Currently, these CSP commands are available:

Command Command value example Description
Default-src 'Self 'cnd.a.com

Defines the default loading policies for all types of resources (js, image, css, web font, ajax request, iframe, multimedia, etc.). If no policy is defined for a type of resource, use the default one.

Script-src 'Self 'js.a.com Defines the loading policy for JavaScript.
Style-src 'Self 'css.a.com Define a style-based loading policy.
Img-src 'Self 'img.a.com Define an image loading policy.
Connect-src 'Self'

Load policies for Ajax, WebSocket, and other requests. If not, the browser simulates a 400 response.

Font-src Font.a.com Load policy for Web Font.
Object-src 'Self' Loading policies for flash and Other plug-ins introduced by tags such as <object>, <embed>, or <applet>.
Media-src Media.a.com The loading policy for html multimedia introduced by tags such as <audio> or <video>.
Frame-src 'Self' The frame loading policy.
Sandbox Allow-forms

Enable sandbox for requested resources (similar to the sandbox attribute of iframe ).

Report-uri /Report-uri

Tell the browser which address to submit log information if the requested resource is not permitted by the policy.

Specifically, if you only want your browser to report logs without blocking any content. You can use the Content-Security-Policy-Report-Only response header instead.

The command value can be composed of the following content:

Command Value Command example Description
* Img-src * Any content is allowed.
'None' Img-src 'none' NO content is allowed.
'Self' Img-src 'self' Allow content from the same source (the same protocol, domain name, and port ).
Data Img-src data Allow data: Protocol (for example, base64 encoded image ).
Www.a.com Img-src img.a.com Resources of the specified domain name can be loaded.
* .A.com Img-src * .a.com Resources in any subdomain of a.com can be loaded.
Https://img.com Img-src https://img.com Https resources of img.com can be loaded (Protocol needs to be matched ).
Https: Img-src https: Https resources can be loaded.
'Unsafe-inline' Script-src 'unsafe-inline'

Allows loading of inline resources (such as common style attributes, onclick, inline js, and inline css ).

'Unsafe-eval' Script-src 'unsafe-eval' Allows loading of dynamic js Code, such as eval ().

From the above introduction, we can see that the CSP protocol can control a lot of content. In addition, if you do not specify 'unsafe-inline', all the inline styles and scripts on the page will not be executed. If you do not specify 'unsafe-eval ', dynamic code execution using new Function, setTimeout, and eval is not allowed on the page. After the page resource source is restricted, the risk of being XSS is indeed much smaller.

Of course, relying solely on CSP to prevent XSS is far from enough. It is hard to prevent all browsers from being supported. However, given the low development cost, there is no harm in addition. If you are worried that the impact is too large, you can collect logs that do not match the rules as follows. First observe the following:

 
Content-Security-Policy-Report-Only: script-src 'self'; report-uri http://test/

In this way, if the page contains inline JS, it will still be executed, but the browser will send a post request to the specified address, containing the following information:

 
{"csp-report":{"document-uri":"http://test/test.php","referrer":"","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri http://test/","blocked-uri":""}}

CSP is introduced here first. Modern browsers support many security-related response headers, which will be introduced later.

Link: http://www.imququ.com/post/content-security-policy-reference.html

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.