implementing a content-security-policy - metal toad · 2016-12-08 · @grendzy implementing a...
TRANSCRIPT
![Page 1: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/1.jpg)
Implementing aContent-Security-Policy
Dylan Tack @grendzy
#DrupalCampLA 2015
![Page 2: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/2.jpg)
@grendzy Implementing a Content-Security-Policy
Cross-site scripting (XSS)
<script>alert("xss")</script>
2
<script src="http://evil.com"></script>
![Page 3: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/3.jpg)
@grendzy Implementing a Content-Security-Policy
Demo
3
![Page 4: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/4.jpg)
@grendzy Implementing a Content-Security-Policy 4
47% of sites have an XSS vulnerability
[ White Hat Website SecurityStatistics Report 2015 ]
![Page 5: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/5.jpg)
@grendzy Implementing a Content-Security-Policy 5
[ White Hat Website SecurityStatistics Report 2015 ]
![Page 6: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/6.jpg)
Evil robots: attacks are automated
![Page 7: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/7.jpg)
@grendzy Implementing a Content-Security-Policy
CSP to the rescue!
7
<script src="http://evil.com"></script>
Content-Security-Policy: script-src 'self'
⛔ Refused to load the script 'http://evil.com/' because it violates the following Content Security Policy directive: "script-src 'self'".
![Page 8: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/8.jpg)
@grendzy Implementing a Content-Security-Policy
CSP to the rescue!
8
Content-Security-Policy: script-src 'self' google-analytics.com
https: *://*.example.com:*
⚠ 'unsafe-eval' 🚫 'unsafe-inline'
![Page 9: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/9.jpg)
Everything is going to break
![Page 10: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/10.jpg)
Everything is going to break
![Page 11: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/11.jpg)
![Page 12: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/12.jpg)
@bcrypt
![Page 13: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/13.jpg)
@grendzy Implementing a Content-Security-Policy
Replace variables with data-* attributes 1 <script> 2 var theAnswer = 42; // Bad 3 </script> 4 5 <body data-answer="42"> <!-- Good!! -->
13
![Page 14: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/14.jpg)
@grendzy Implementing a Content-Security-Policy
Use JSON blocks for larger objects 1 <!-- Bad --> 2 <script> 3 var settings = {"answer": 42, "question": null}; 4 </script> 5 6 <!-- Good!! --> 7 <script type="application/json" id="settings"> 8 {"answer": 42, "question": null} 9 </script>
14
![Page 15: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/15.jpg)
@grendzy Implementing a Content-Security-Policy
Use JSON blocks for larger objects 1 <!-- Good!! --> 2 <script type="application/json" id="settings"> 3 {"answer": 42, "question": null} 4 </script>
1 var settings = JSON.parse( document.getElementById('settings').innerHTML);
15
![Page 16: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/16.jpg)
@grendzy Implementing a Content-Security-Policy
Look for document.createElement() 1 // Bad 2 (function() { 3 var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; 4 ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; 5 var s = document.getElementsByTagName('script')[0];s.parentNode .insertBefore(ga, s); 6 })();
16
7 <!-- Good!! --> 8 <script src="//www.google-analytics.com/ga.js" async></script>
![Page 17: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/17.jpg)
@grendzy Implementing a Content-Security-Policy
Replace inline event handlers 1 <!-- Bad --> 2 <a onclick="deepThought()"></a> 3 4 <!-- Good!! --> 5 <a class="ask"></a>
1 $('.ask').click(deepThought);
17
![Page 18: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/18.jpg)
@grendzy Implementing a Content-Security-Policy
Going to productionContent-Security-Policy: script-src 'self'; report-uri https://report-uri.io/report/a83af30
Content-Security-Policy-Report-Only: script-src 'self'; report-uri https://report-uri.io/report/a83af30
18
![Page 19: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/19.jpg)
@grendzy Implementing a Content-Security-Policy
https://report-uri.io/19
![Page 20: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/20.jpg)
@grendzy Implementing a Content-Security-Policy
https://report-uri.io/20
![Page 21: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/21.jpg)
@grendzy Implementing a Content-Security-Policy
Inside a CSP report 1 { 2 "csp-report": { 3 "document-uri": "http://www.metaltoad.com/blog/successful-digital-pm", 4 "referrer": "", 5 "violated-directive": "script-src 'self' 'unsafe-eval' *.metaltoad.com *.google-analytics.com", 6 "effective-directive": "script-src", 7 "original-policy": "script-src 'self' 'unsafe-eval' *.metaltoad.com *.google-analytics.com; report-uri https://report-uri.io/report/..", 8 "blocked-uri": "http://indexx.org", 9 "source-file": "http://dfwu1019.info", 10 "line-number": 1, 11 "column-number": 10002, 12 "status-code": 200 13 } 14 }
21
![Page 22: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/22.jpg)
@grendzy Implementing a Content-Security-Policy
YouTube22
Content-Security-Policy: child-src https://youtube.com
![Page 23: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/23.jpg)
@grendzy Implementing a Content-Security-Policy
Google Analytics23
Content-Security-Policy: script-src google-analytics.com
![Page 24: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/24.jpg)
@grendzy Implementing a Content-Security-Policy
Twitter24
Source: https://dev.twitter.com/web/overview/widgets-webpage-properties Case study: https://blog.twitter.com/2011/improving-browser-security-csp
Content-Security-Policy: script-src https://platform.twitter.com; child-src https://platform.twitter.com;
![Page 25: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/25.jpg)
@grendzy Implementing a Content-Security-Policy
Facebook25
Content-Security-Policy: child-src https://facebook.com
![Page 26: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/26.jpg)
@grendzy Implementing a Content-Security-Policy
CKEditor26
![Page 27: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/27.jpg)
@grendzy Implementing a Content-Security-Policy
Unsafe tags<script><object><embed><style>
<iframe><img> (maybe)
27
![Page 28: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/28.jpg)
@grendzy Implementing a Content-Security-Policy
Additional Directivesbase-uri ⚠child-src ⚠connect-src font-src form-action ⚠frame-ancestors ⚠
28
img-src media-src object-src plugin-types ⚠script-srcstyle-src
![Page 29: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/29.jpg)
@grendzy Implementing a Content-Security-Policy
CSP Level 2Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng='
29
1 <script nonce=EDNnf03nceIOfn39fn3e9h3sdfa> 2 // Some inline code I cant remove yet, but need to asap. 3 </script>
![Page 30: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/30.jpg)
@grendzy Implementing a Content-Security-Policy
Browser support30
caniuse.com
![Page 31: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/31.jpg)
@grendzy Implementing a Content-Security-Policy
Browser support31
caniuse.com
![Page 32: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/32.jpg)
@grendzy Implementing a Content-Security-Policy
A note about page speed32
![Page 33: Implementing a Content-Security-Policy - Metal Toad · 2016-12-08 · @grendzy Implementing a Content-Security-Policy CSP Level 2 Content-Security-Policy: script-src 'sha256-sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng=](https://reader030.vdocuments.mx/reader030/viewer/2022041111/5f13a7608f515d1a740754ea/html5/thumbnails/33.jpg)
@grendzy Implementing a Content-Security-Policy
Questions?33
Further reading:html5rocks.com/en/tutorials/security/content-security-policy