CONTENT SECURITY POLICIESWHAT? WHY? HOW?
PHP EAST MIDLANDS UNCONFERENCE
HTTP://BIT.LY/PHPEM16-EB
HTTP RESPONSE HEADER TO HELP REDUCE XSS RISKS
DECLARES WHAT DYNAMIC RESOURCES ARE ALLOWED TO LOAD
FULL REFERENCE: HTTPS://CONTENT-SECURITY-POLICY.COM
IMG-SRC *
WILDCARD, ALLOWS ANY URL EXCEPT DATA: BLOB: FILESYSTEM: SCHEMES.
OBJECT-SRC 'NONE'
DON’T LOAD RESOURCES FROM ANY SOURCE
SCRIPT-SRC ‘SELF'
ALLOW LOADING FROM SAME ORIGIN (SAME SCHEME, HOST AND PORT)
SCRIPT-SRC 'UNSAFE-INLINE'
ALLOWS USE OF INLINE SOURCE ELEMENTS SUCH AS STYLE ATTRIBUTE, ONCLICK, OR SCRIPT TAG BODIES
<script nonce="$RANDOM">...</script>
script-src 'self' 'nonce-$RANDOM'
WHEN A POLICY FAILURE OCCURS, THE BROWSER SENDS A JSON PAYLOAD TO THAT URL
Content-Security-Policy-Report-Only: script-src 'self'
https://*.google.com; style-src 'self'; report-uri
https://mfyu.report-uri.io/r/default/csp/reportOnly;
THANKS!
https://joind.in/talk/296a1