Content Security Policy

This document describes W3C Content Security Policy (CSP. As the name suggests, this specification is related to content security. It is mainly used to define the resources that can be loaded on a page to reduce the occurrence of XSS.

Chrome extension has introduced CSP, which is defined by the content_security_policy field in manifest. json. Some modern browsers also support defining CSPs through response headers. The following describes how to use CSP through the response header. For details about how to use CSP in Chrome extension, refer to the official Chrome documentation.

Browser compatibility

Early Chrome supports CSP through X-WebKit-CSP response headers, while firefox and IE support X-Content-Security-Policy, chrome 25 and Firefox23 start to support standard Content-Security-Policy, as shown in the following table.

Response Header	Chrome	Firefox	Safari	IE
Content-Security-Policy	25 +	23 +	-	-
X-Content-Security-Policy	-	4.0 +	-	10.0 (limited)
X-Webkit-CSP	14 +	-	6 +	-

For more information about CSP support in the browser, see CanIUse.

How to Use

To use CSP, you only need the server to output a response header similar to this:

 

Content-Security-Policy: default-src 'self'

Default-src is a CSP command. Multiple commands are separated by semicolons. 'self 'is the command value. Multiple command values are separated by spaces. Currently, these CSP commands are available:

Command	Command value example	Description
Default-src	'Self 'cnd.a.com	Defines the default loading policies for all types of resources (js, image, css, web font, ajax request, iframe, multimedia, etc.). If no policy is defined for a type of resource, use the default one.
Script-src	'Self 'js.a.com	Defines the loading policy for JavaScript.
Style-src	'Self 'css.a.com	Define a style-based loading policy.
Img-src	'Self 'img.a.com	Define an image loading policy.
Connect-src	'Self'	Load policies for Ajax, WebSocket, and other requests. If not, the browser simulates a 400 response.
Font-src	Font.a.com	Load policy for Web Font.
Object-src	'Self'	Loading policies for flash and Other plug-ins introduced by tags such as <object>, <embed>, or <applet>.
Media-src	Media.a.com	The loading policy for html multimedia introduced by tags such as <audio> or <video>.
Frame-src	'Self'	The frame loading policy.
Sandbox	Allow-forms	Enable sandbox for requested resources (similar to the sandbox attribute of iframe ).
Report-uri	/Report-uri	Tell the browser which address to submit log information if the requested resource is not permitted by the policy. Specifically, if you only want your browser to report logs without blocking any content. You can use the Content-Security-Policy-Report-Only response header instead.

The command value can be composed of the following content:

Command Value	Command example	Description
*	Img-src *	Any content is allowed.
'None'	Img-src 'none'	NO content is allowed.
'Self'	Img-src 'self'	Allow content from the same source (the same protocol, domain name, and port ).
Data	Img-src data	Allow data: Protocol (for example, base64 encoded image ).
Www.a.com	Img-src img.a.com	Resources of the specified domain name can be loaded.
* .A.com	Img-src * .a.com	Resources in any subdomain of a.com can be loaded.
Https://img.com	Img-src https://img.com	Https resources of img.com can be loaded (Protocol needs to be matched ).
Https:	Img-src https:	Https resources can be loaded.
'Unsafe-inline'	Script-src 'unsafe-inline'	Allows loading of inline resources (such as common style attributes, onclick, inline js, and inline css ).
'Unsafe-eval'	Script-src 'unsafe-eval'	Allows loading of dynamic js Code, such as eval ().

From the above introduction, we can see that the CSP protocol can control a lot of content. In addition, if you do not specify 'unsafe-inline', all the inline styles and scripts on the page will not be executed. If you do not specify 'unsafe-eval ', dynamic code execution using new Function, setTimeout, and eval is not allowed on the page. After the page resource source is restricted, the risk of being XSS is indeed much smaller.

Of course, relying solely on CSP to prevent XSS is far from enough. It is hard to prevent all browsers from being supported. However, given the low development cost, there is no harm in addition. If you are worried that the impact is too large, you can collect logs that do not match the rules as follows. First observe the following:

 

Content-Security-Policy-Report-Only: script-src 'self'; report-uri http://test/

In this way, if the page contains inline JS, it will still be executed, but the browser will send a post request to the specified address, containing the following information:

 

{"csp-report":{"document-uri":"http://test/test.php","referrer":"","violated-directive":"script-src 'self'","original-policy":"script-src 'self'; report-uri http://test/","blocked-uri":""}}

CSP is introduced here first. Modern browsers support many security-related response headers, which will be introduced later.

Link: http://www.imququ.com/post/content-security-policy-reference.html