w3c content security policy

W3C Content Security Policy 1.0One measure against web attacks.No less and no more.

@m2w2 Markus Wichmann, May 2013

https://twitter.com/m2w2


What is CSP about at all?

Just some terms:

Web Applications

Web Application Security

Cross-Site Scripting (XSS)

XSS Prevention

Policy Breach Reporting

Content Security Policy 1.0 is a W3C candidate recommendation as of May 2013. I expect it to become a recommendation in the nearer future.




Agenda W3C Content Security Policy (CSP)

The Web without CSPPlain old HTML

XSS (Cross-Site Scripting)

Enter: CSPCSP DeploymentCSP ReportingCSP Limitations Future of CSPHow browsers show CSP violation attempts




The Web... without CSP


<html> <head> ...import style sheets... ...import JavaScript files... </head>

<body> ...Forum Comments... <img src="..."> ...Google +1 Button... ...Facebook Like plugin... ...Twitter message... </body></html>

Web Server:Page, Basic JS, Style Sheets

Database:Forum

CommentsFB pluginG+ buttonTwitter



XSS (Cross-Site Scripting)Phase 1: Injection Attack.


Server A

Database:Forum entries

<html> ... ...Forum Comments... <textarea>

</textarea> </html>

Hey folks, look at my evil site:

http://bla.com/?q=%3Cscript%3Ealert(%91This%20is%20an%20XSS%20Vulnerability%92)%3C%2Fscript%3E



XSS Phase 2: The Victim


<html> ... Hey folks, look at my evil site: <script>alert(‘This is an XSS Vulnerability’)</script> ...</html>

Server A

Database:Forum

Comments



XSS Phase 3: Send Victim to Hell – Just one Example


http://www.evil.labEvil Scripts, Cookie Stealing, Whatever!

<html>

<head> ... <script src="...evil.lab..."> </head>

<body> <script ...> </body>

</html>

1

2

3

4



XSS recap


Hacker Victim Web Page W W W

Infect with evil Script

Visit Page

Inject Script

Do something evil



Enter: CSP

Declarative Source Whitelisting„What am I allowed to fetch, and from where?“




Our example, revisited:What do we really need?




Database:Forum





What do we really need?




Database:Forum


1. Style Sheets from our own Web Server

2. JavaScript from our own Web Server

3. JavaScript from apis.google.com

4. iframe content from plusone.google.com

5. iframe content from facebook.com

6. JavaScript from platform.twitter.com

7. iframe content from platform.twitter.com

We DON'T need inline scripts (scripts tags within the body tag)!




CSP Deployment

Solution: HTTP headerName: Content-Security-Policy*Values:

Resource Directives

each with a Source List

* see CSP's limitations (as of May 2013) 1/2 for special cases/special browsers




CSP Deployment: Our recent example

If you wrote it separately (don't do this, not correct, just for demonstration purposes):Content-Security-Policy: default-src 'self';

Content-Security-Policy: style-src 'self';

Content-Security-Policy: script-src 'self' https://apis.google.com https://platform.twitter.com;

Content-Security-Policy: frame-src https://plusone.google.com https://facebook.com https://platform.twitter.com;

Correct all-in-one notation:Content-Security-Policy: default-src 'self'; style-src 'self'; script-src 'self' https://apis.google.com https://platform.twitter.com; frame-src https://plusone.google.com https://facebook.com https://platform.twitter.com;


1. Style Sheets from our own Web Server

2. JavaScript from our own Web Server

3. JavaScript from apis.google.com

4. iframe content from plusone.google.com

5. iframe content from facebook.com

6. JavaScript from platform.twitter.com

7. iframe content from platform.twitter.com

We DON'T want inline scripts = script tags within the body tag!



CSP Directives

default-src origin to fall back on if there's no rule

that is more specific (e.g. see directives below)

style-src origins for CSS stylesheets

img-src origins for image files

font-src origins to load web-fonts from

frame-src origins embeddable into iframes

media-src origins of HTML5 audio and video

object-src origins of Flash and similar plugins

connect-src origins to connect to using XHR,

WebSockets, and EventSource




CSP Source Lists

'none' restrict directive to nothing at all

'self' current origin, but not its subdomains

'unsafe-inline' allows inline JavaScript and CSS

'unsafe-eval' allows JavaScript's eval method

http://uri.lab URI to allow, space-separated if multi




CSP Deployment's effect

Attacker finds hole? Bad enough.Attacker injects script? Bad enough.

But:If script does not match whitelist, it cannotbe executed.

Bad enough... for the attacker.




CSP Reporting

Find weak pieces of your code: Let browser report attempted policy breaches!Content-Security-Policy: default-src 'self'; report-uri /csp_report_parser;

CSP Violation Attempts are reported to specified URI in JSON format like this:{ "csp-report": { "document-uri": "http://example.org/page.html", "referrer": "http://evil.example.com/", "blocked-uri": "http://evil.example.com/evil.js", "violated-directive": "script-src 'self' https://apis.google.com", "original-policy": "script-src 'self' https://apis.google.com; report-uri http://example.org/csp_report_parser" }}




CSP's limitations (as of May 2013) 1/2

Browsers supporting CSP 1.0:

Firefox 4–16 partial support, use X-Content-Security-Policy

Firefox 17+ seems like full support, use X-Content-Security-Policy

Chrome 14+ seems to me like full support

IE 10+ very rudimentary support, see http://goo.gl/p5rke

Safari 5.1 partial support, use X-WebKit-CSP as header name

Safari 6.0+ seems to me like full support

iOS 6.0 Safari seems to me like full support

Chrome for Android 25+ seems to me like full support

Sources: http://caniuse.com/contentsecuritypolicy and Mike West's Twitter Post above


http://goo.gl/p5rke

http://caniuse.com/contentsecuritypolicy



CSP's limitations (as of May 2013) 2/2

CSP protects users againstMost Cross-Site Scripting attacks

CSP does NOT protect against:Cross-Site Request Forgery (XSRF/CSRF)

Session Riding

Cookie Stealing (though this is a bit more difficult with CSP in place)

SQL Injection

And please use HTTPS wherever possible.HTTP over SSL




Possible Future of CSP

CSP 1.1 currently in draft status (as of 05/2013)Will mainly support more directives

script-nonce allow specific(!) inline scripts

plugin-types allow specific plugin MIME types

form-action specify form action URIs to allow

See https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#frame-options--experimental


https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#frame-options--experimental



How browsers show CSP violations in their debuggers (Firebug, Developer Tools, etc.)

Firefox:

Chrome:




Thanks to all authorsof the following pages:

http://www.w3.org/TR/CSP/

https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#frame-options--experimental

http://www.html5rocks.com/en/tutorials/security/content-security-policy/

http://en.wikipedia.org/wiki/Cross-site_scripting

http://de.wikipedia.org/wiki/Cross-Site-Request-Forgery

http://en.wikipedia.org/wiki/Same_origin_policy

http://en.wikipedia.org/wiki/JSONP

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Introduction

http://en.wikipedia.org/wiki/Samy_worm

http://maulwuff.de/pws/2012/web20sec/vortrag.html

https://www.bsi.bund.de/cae/servlet/contentblob/476464/publicationFile/30632/WebSec_pdf

http://www.linuxforu.com/2012/03/cyber-attacks-explained-web-exploitation/

http://www.linuxforu.com/2010/09/securing-apache-part-2-xss-injections/

https://wiki.mozilla.org/index.php?title=Security/CSP/Spec&oldid=133465

https://twitter.com/mikewest/status/268721123145957377

http://people.mozilla.com/~bsterne/content-security-policy/

http://people.mozilla.com/~bsterne/content-security-policy/origin-header-proposal.html

http://de.slideshare.net/shreeraj/xss-and-csrf-with-html5

http://google-gruyere.appspot.com/part3#3__cross_site_script_inclusion

http://intothesymmetry.blogspot.de/2012/06/facebook-logout-csrf-and-oauth-2.html

http://www.kendoui.com/blogs/archive/11-10-03/using_cors_with_all_modern_browsers.aspx




Thank you.

@m2w2Constructive criticism always welcome!

Disclaimer:The author of these slides does not give and cannot give any kind of warranties or guarantees or anything the like on the correctness of any information provided in these slides.






w3c content security policy

Technology

twitter message

forum comments