Download - AppSec USA 2016: Demystifying CSP
Demystifying CSP
Ilya Nesterov, Shape Securitymailto: [email protected]@ilya_online
What does CSP stand for?
Content Security Policy (CSP) - a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as XSS.
CSP Level 1
• Policy delivery via HTTP header only•Multiple CSP headers allowed• Sandbox directive is optional• script-src governs workers
New in CSP Level 2
• Policy delivery via <meta>• New directives: child-src, form-action, frame-
ancestors, base-uri, plugin-types• Source-expression supports hash and nonce• host-source can use path for matching• SecurityPolicyViolationEvent • Extended violation report• child-src governs workers
New in CSP Level 3
• New directives: manifest-src, worker-src, report-to, block-mixed-content, upgrade-insecure-requests, require-sri-for• frame-src undeprecated• New in source-expression: 'strict-dynamic'• Changes in url and source-expression matching
algorithms• Additional changes to violation reports
Alexa top 1 000 000 data
• 1 000 000 sites landing pages• 4515 sites have CSP policies• 2339 individual policies• 116 sites have CSP-RO (25 policies) • 986 sites send violation reports • 1323 sites use only frame-ancestors • 102 upgrade-insecure-requests
Alexa top 1 000 000 data
• 72.7% CSP (default-src OR script-src AND object-src)
• 7.52% CSP (no unsafe-inline)–1.84% whitelist via nonce/hash
• 3.04% CSP (nonce/hash + unsafe inline)
How to build good CSP
• Define default-src or script-src and object-src• Say NO to ‘unsafe-inline’•Whitelist via nonce/hash• Narrow down whitelist• strict-dynamic• Get continuous feedback via violation reports
CSP what is next?
• Decrease deployment friction:– ‘strict-dynamic’–middleware to build CSP automatically–support for legacy software (LB, RP)
• Faster adoption of new standards by Browsers• Education and documentation•More tools!
Resources:
• https://cspvalidator.org • https://csp-evaluator.withgoogle.com/• https://csp.withgoogle.com • https://github.com/shapesecurity/salvation • https://report-uri.io • https://www.w3.org/TR/CSP3/• https://www.w3.org/2011/webappsec/