CONTENT SECURITY POLICIESWHAT? WHY? HOW?

PHP EAST MIDLANDS UNCONFERENCE

HTTP://BIT.LY/PHPEM16-EB

HTTP RESPONSE HEADER TO HELP REDUCE XSS RISKS

DECLARES WHAT DYNAMIC RESOURCES ARE ALLOWED TO LOAD

A FEW OF THE DIRECTIVES

DEFAULT-SRC

SCRIPT-SRC

STYLE-SRC

FULL REFERENCE: HTTPS://CONTENT-SECURITY-POLICY.COM

IMG-SRC *

WILDCARD, ALLOWS ANY URL EXCEPT DATA: BLOB: FILESYSTEM: SCHEMES.

OBJECT-SRC 'NONE'

DON’T LOAD RESOURCES FROM ANY SOURCE

SCRIPT-SRC ‘SELF'

ALLOW LOADING FROM SAME ORIGIN (SAME SCHEME, HOST AND PORT)

SCRIPT-SRC 'UNSAFE-INLINE'

ALLOWS USE OF INLINE SOURCE ELEMENTS SUCH AS STYLE ATTRIBUTE, ONCLICK, OR SCRIPT TAG BODIES

DON’T USE UNSAFE-INLINE

<script nonce="$RANDOM">...</script>

script-src 'self' 'nonce-$RANDOM'

REPORT-URI

WHEN A POLICY FAILURE OCCURS, THE BROWSER SENDS A JSON PAYLOAD TO THAT URL

HTTP://REPORT-URI.IO

REPORT-ONLY

Content-Security-Policy-Report-Only: script-src 'self'

https://*.google.com; style-src 'self'; report-uri

https://mfyu.report-uri.io/r/default/csp/reportOnly;

BROWSER SUPPORT

@SCOTT_HELME

(HE KNOWS HIS STUFF!)

(THIS ISN’T ME)

THANKS!

https://joind.in/talk/296a1