Home > Developer > Web Develop
Content security Policy, or CSP, is a trusted whitelist mechanism to limit whether a site can contain some source content and mitigate a wide range of content injection vulnerabilities, such as XSS. Simply put, we can stipulate that our website only accepts the requested resources we specify. The default configuration does not allow inline code execution ( <script> block content, inline events, inline styles), and suppresses the execution of eval (), Newfunction (), SetTimeout ([string], ...), and setinterval ([string], ...).
CSPs can be specified in two ways: HTTP headers and HTML.
Used in HTTP headers by definition:
"Content-Security-Policy:" 策略集Used in HTML meta tags by definition:
<meta http-equiv="content-security-policy" content="策略集">A policy is a syntax that defines the content of a CSP.
If the HTTP header and the META tag define the CSP at the same time, the HTTP header will be taken precedence.
Once defined, any external resources that do not conform to the CSP policy will be blocked from loading.
3.CSP Syntax 3.1 policyEach strategy is composed of instruction and instruction values:
Content-Security-Policy:指令1 指令值1
The policy and policy are separated by semicolons, for example:
Content-Security-Policy:指令1 指令值1;指令2 指令值2;指令3 指令值3
In one policy, if there are multiple instruction values in one instruction, the instruction values are separated by a null number:
3.2 CSP directiveContent-Security-Policy:指令a 指令值a1 指令值a2
<audio> and video tags <video> .<object> ,, <embed> <applet> .<frame> <iframe> .<iframe> the sandbox properties.| Instruction Value | Description |
|---|---|
| * | Allow any content to load |
| ' None ' | Do not allow any content to load |
| ' Self ' | Allow loading of content from the same source |
| Www.a.com | Allow resources for the specified domain name to be loaded |
| *.a.com | Allow resources to load a.com any subdomain |
| Https://a.com | Allow loading of a.com HTTPS resources |
| Https | Allow HTTPS resources to be loaded |
| Data | Allow data to be loaded: protocol, for example: Base64 encoded picture |
| ' Unsafe-inline ' | Allows inline resources to be loaded, such as style properties, onclick, inline js, inline CSS, and more |
| ' Unsafe-eval ' | Allows dynamic JS code to be loaded, such as eval () |
Example 1
All content comes from the site's own domain:
Content-Security-Policy:default-src ‘self‘Example 2
All content comes from the site's own domain, as well as other subdomains (if the site's address is: a.com):
Content-Security-Policy:default-src ‘self‘ *.a.comExample 3
Web site accepts images from any domain, specifies the domain (a.com) of audio, video, and scripts for multiple specified domains (a.com, B.Com)
Content-Security-Policy:default-src ‘self‘;img-src *;media-src a.com;script-src a.com b.comWeb site prepared by the online CSP: http://cspisawesome.com/
block inline code execution
CSPs in addition to using the whitelist mechanism, blocking inline code execution under the default configuration is the maximum security against content injection. The inline code
here includes: <script> block contents, inline events, inline styles.
(1) script code, <script>......<scritp>
for <script> block content is completely unenforceable. For example:
<script>getyourcookie () </script> (2) inline events.
<a href= "" onclick= "Handleclick ();" ></a> <a href= "Javascript:handleclick (); ></a> (3) inline style
<div style= "Display:none" ></div> Although SCRIPT-SRC and style-src have been provided with the "unsafe-inline" directive to enable the execution of inline code, the "Unsafe-inline" is used sparingly for security purposes.
Eval-related features are disabled
The user enters a string and is then escaped by a function such as eval () to be executed as a script. This type of attack is more common. So the CSP default configuration, eval (), Newfunction (), SetTimeout ([string], ...) and setinterval ([string], ...) are forbidden to run.
Like what:
alert(eval("foo.bar.baz"));window.setTimeout("alert(‘hi‘)", 10); window.setInterval("alert(‘hi‘)", 10); new Function("return foo.bar.baz");If you want to do this, you can convert the string to an inline function to execute.
alert(foo && foo.bar && foo.bar.baz);window.setTimeout(function() { alert(‘hi‘); }, 10);window.setInterval(function() { alert(‘hi‘); }, 10);function() { return foo && foo.bar && foo.bar.baz };The same CSP also provides "unsafe-eval" to open functions such as eval (), but it is strongly not recommended to use the "unsafe-eval" directive.
You can use the Report-uri directive to send the browser an HTTP POST request to transmit the attack report in JSON format to the address you specify. Next, we'll show you how your site is configured to receive attack reports.
Enable reporting
By default, the violation report is not sent. In order to be able to use the violation report, you must use the Report-uri directive and provide at least one receive address.
Content-Security-Policy: default-src self; report-uri http://reportcollector.example.com/collector.cgiIf you want your browser to report only reports and not block anything, you can use the Content-security-policy-report-only header instead.
Violation report Syntax
The report JSON object contains the following data:
blocked-uri:被阻止的违规资源document-uri:拦截违规行为发生的页面original-policy:Content-Security-Policy头策略的所有内容referrer:页面的referrerstatus-code:HTTP响应状态violated-directive:违规的指令Examples of violation reports
The CSP in http://example.com/signup.html specifies that only cdn.example.com CSS styles can be loaded.
Content-Security-Policy: default-src ‘none‘; style-src cdn.example.com; report-uri /test/csp-report.php
The code in signup.html is similar to this:
<!DOCTYPE html>
Can you find the error from the code above? The policy is to allow only CSS styles in the cdn.example.com to be loaded. But signup.html tries to load the STYLE.CSS style of its own domain. This violates the policy, the browser sends the POST request to the http://example.com/test/csp-report.php to submit the report, the sending format is the JSON format.
{ "csp-report": { "document-uri": "http://example.com/signup.html", "referrer": "", "blocked-uri": "http://example.com/css/style.css", "violated-directive": "style-src cdn.example.com", "original-policy": "default-src ‘none‘; style-src cdn.example.com; report-uri /_/csp-reports", }}
You can see from above that Blocked-uri gives a detailed block address http://example.com/css/style.css, but it is not always the case. For example, when attempting to load a CSS style from Http://anothercdn.example.com/stylesheet.css, the browser will not transmit the full path and will only give the http://anothercdn.example.com/address. This is done to prevent the leakage of sensitive information across domains.
The server-side csp-report.php code can write this:
<?php $file = fopen(‘csp-report.txt‘, ‘a‘);$json = file_get_contents(‘php://input‘);$csp = json_decode($json, true);foreach ($csp[‘csp-report‘] as $key => $val) { fwrite($file, $key . ‘: ‘ . $val . "");}fwrite($file, ‘End of report.‘ . "");fclose($file);?>
7. Reference Links
- Http://www.ruanyifeng.com/blog/2016/09/csp.html
- http://blog.topsec.com.cn/ad_lab/content-security-policy/
- 79978761
- Https://www.jianshu.com/p/b223c5b9d5ab
- https://content-security-policy.com/
- Https://www.imuo.com/a/f7566a17dcfe788216bbc5245e91a631fcc259bfac97dc7f94bf8002ba38fa21
- https://w3c.github.io/webappsec-csp/#intro
- Https://kuaibao.qq.com/s/20180522G095D900?refer=spider
Web Security Content Security Policy (CONTENT-SECURITY-POLICY,CSP) detailed
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
