Content Security Policy

From HandWiki - Reading time: 7 min

Short description: Computer security standard to prevent cross-site scripting and related attacks

Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.[1] It is a Candidate Recommendation of the W3C working group on Web Application Security,[2] widely supported by modern web browsers.[3] CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website—covered types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features.

Status

The standard, originally named Content Restrictions, was proposed by Robert Hansen in 2004,[4] first implemented in Firefox 4 and quickly picked up by other browsers. Version 1 of the standard was published in 2012 as W3C candidate recommendation[5] and quickly with further versions (Level 2) published in 2014. (As of 2023), the draft of Level 3 is being developed with the new features being quickly adopted by the web browsers.[6]

The following header names are in use as part of experimental CSP implementations:[3]

  • Content-Security-Policy – standard header name proposed by the W3C document. Google Chrome supports this as of version 25.[7] Firefox supports this as of version 23,[8] released on 6 August 2013.[9] WebKit supports this as of version 528 (nightly build).[10] Chromium-based Microsoft Edge support is similar to Chrome's.[11]
  • X-WebKit-CSP – deprecated, experimental header introduced into Google Chrome, Safari and other WebKit-based web browsers in 2011.[12]
  • X-Content-Security-Policy – deprecated, experimental header introduced in Gecko 2 based browsers (Firefox 4 to Firefox 22, Thunderbird 3.3, SeaMonkey 2.1).[13]

A website can declare multiple CSP headers, also mixing enforcement and report-only ones. Each header will be processed separately by the browser.

CSP can also be delivered within the HTML code using a HTML META tag, although in this case its effectiveness will be limited.[14]

Internet Explorer 10 and Internet Explorer 11 also support CSP, but only sandbox directive, using the experimental X-Content-Security-Policy header.[15]

A number of web application frameworks support CSP, for example AngularJS[16] (natively) and Django (middleware).[17] Instructions for Ruby on Rails have been posted by GitHub.[18] Web framework support is however only required if the CSP contents somehow depend on the web application's state—such as usage of the nonce origin. Otherwise, the CSP is rather static and can be delivered from web application tiers above the application, for example on load balancer or web server.

Bypasses

In December 2015[19] and December 2016,[20] a few methods of bypassing 'nonce' allowlisting origins were published. In January 2016,[21] another method was published, which leverages server-wide CSP allowlisting to exploit old and vulnerable versions of JavaScript libraries hosted at the same server (frequent case with CDN servers). In May 2017[22] one more method was published to bypass CSP using web application frameworks code.

Mode of operation

Mapping between HTML5 and JavaScript features and Content Security Policy controls

If the Content-Security-Policy header is present in the server response, a compliant client enforces the declarative allowlist policy. One example goal of a policy is a stricter execution mode for JavaScript in order to prevent certain cross-site scripting attacks. In practice this means that a number of features are disabled by default:

While using CSP in a new application may be quite straightforward, especially with CSP-compatible JavaScript framework,[lower-alpha 4] existing applications may require some refactoring—or relaxing the policy. Recommended coding practice for CSP-compatible web applications is to load code from external source files (<script src>), parse JSON instead of evaluating it and use EventTarget.addEventListener() to set event handlers.[23]

Notes

  1. This behavior can be disabled globally by a special 'unsafe-inline' statement
  2. 2.0 2.1 Trusted inline <script> and <style> blocks can be individually allowlisted in the CSP using nonce or hash statements.
  3. This behavior can be disabled globally by a special 'unsafe-eval' statement
  4. For example, AngularJS requires only one initialization flag to be switched into the CSP-compatible mode—<html ng-app ng-csp>

Reporting

Any time a requested resource or script execution violates the policy, the browser will fire a POST request to the value specified in report-uri[24] or report-to[25] containing details of the violation.

CSP reports are standard JSON structures and can be captured either by application's own API[26] or public CSP report receivers.[citation needed]

In 2018 security researchers showed how to send false positive reports to the designated receiver specified in report-uri . This allows potential attackers to arbitrarily trigger those alarms and might render them less useful in case of a real attack.[27] This behaviour is intended and cannot be fixed, as the browser (client) is sending the reports.

Browser add-ons and extensions exemption

According to the original CSP (1.0) Processing Model (2012–2013),[28] CSP should not interfere with the operation of browser add-ons or extensions installed by the user. This feature of CSP would have effectively allowed any add-on, extension, or Bookmarklet to inject script into web sites, regardless of the origin of that script, and thus be exempt from CSP policies.

However, this policy has since been modified (as of CSP 1.1[29]) with the following wording. Note the use of the word "may" instead of the prior absolute "should (not)" wording:

Note: User agents may allow users to modify or bypass policy enforcement through user preferences, bookmarklets, third-party additions to the user agent, and other such mechanisms.

The absolute "should" wording was being used by browser users to request/demand adherence to the policy and have changes installed in popular browsers (Firefox, Chrome, Safari) to support it. This was particularly contentious when sites like Twitter and GitHub started using strong CSP policies, which 'broke' the use of Bookmarklets.[30]

The W3C Web Application Security Working Group considers such script to be part of the Trusted Computing Base implemented by the browser; however, it has been argued to the working group by a representative of Cox Communications that this exemption is a potential security hole that could be exploited by malicious or compromised add-ons or extensions.[31][32]

Complementary measures

(As of 2015) a number of new browser security standards are being proposed by W3C, most of them complementary to CSP:[33]

  • Subresource Integrity (SRI), to ensure only known, trusted resource files (typically JavaScript, CSS) are loaded from third-party servers (typically CDNs)
  • Mixed Content, to clarify the intended browser's policy on pages loaded over HTTPS and linking content over plaintext HTTP
  • Upgrade Insecure Requests, hinting browsers on how to handle legacy links on pages migrated to HTTPS
  • Credential Management, a unified JavaScript API to access user's credentials to facilitate complex login schemes,
  • Referrer Policy, CSP extension to hint the browser on generation of the Referer headers.[33]

See also

References

  1. Sid Stamm (2009-03-11). "Security/CSP/Spec - MozillaWiki". wiki.mozilla.org. https://wiki.crome.org/index.php?title=Security/CSP/Spec&oldid=133465. "Content Security Policy is intended to help web designers or server administrators specify how content interacts on their web sites. It helps mitigate and detect types of attacks such as XSS and data injection." 
  2. "State of the draft". 2016-09-13. http://www.w3.org/TR/CSP/#sotd. 
  3. 3.0 3.1 "Can I use Content Security Policy?". Fyrd. http://caniuse.com/contentsecuritypolicy. 
  4. Robert Hansen (2009-06-01). "Mozilla's Content Security Policy". http://ha.ckers.org/blog/20090701/mozillas-content-security-policy/. "Content Restrictions - a way for websites to tell the browser to raise their security on pages where the site knows the content is user submitted and therefore potentially dangerous." 
  5. "Content Security Policy 1.0". W3C. http://www.w3.org/TR/2012/CR-CSP-20121115/. 
  6. "Content Security Policy Level 3". W3C. https://w3c.github.io/webappsec-csp/. 
  7. "Chrome 25 Beta: Content Security Policy and Shadow DOM". Google. January 14, 2013. https://blog.chromium.org/2013/01/content-security-policy-and-shadow-dom.html. 
  8. "Content Security Policy 1.0 lands in Firefox Aurora". Mozilla Foundation. May 29, 2013. https://hacks.mozilla.org/2013/05/content-security-policy-1-0-lands-in-firefox-aurora/. 
  9. "RapidRelease/Calendar". Mozilla Foundation. May 29, 2013. https://wiki.mozilla.org/RapidRelease/Calendar. 
  10. "Bug 96765 - Implement the "Content-Security-Policy" header". WebKit. October 31, 2012. https://bugs.webkit.org/show_bug.cgi?id=96765. 
  11. "Content Security Policy (CSP)". Microsoft. https://docs.microsoft.com/en-us/microsoft-edge/extensions-chromium/store-policies/csp. 
  12. "New Chromium security features, June 2011". Google. June 14, 2011. https://blog.chromium.org/2011/06/new-chromium-security-features-june.html. 
  13. "Introducing Content Security Policy". Mozilla Foundation. https://developer.mozilla.org/en-US/docs/Security/CSP/Introducing_Content_Security_Policy. 
  14. "HTML META element". Content Security Policy Level 2. W3C. http://www.w3.org/TR/CSP2/#delivery-html-meta-element. 
  15. "Defense in Depth: Locking Down Mash-Ups with HTML5 Sandbox". Windows Internet Explorer Engineering Team. http://blogs.msdn.com/b/ie/archive/2011/07/14/defense-in-depth-locking-down-mash-ups-with-html5-sandbox.aspx. 
  16. "ngCsp directive". AngularJS. https://docs.angularjs.org/api/ng/directive/ngCsp. 
  17. "django-security". 21 November 2022. https://github.com/sdelements/django-security. 
  18. "Content security policy". GitHub. 19 April 2013. https://github.com/blog/1477-content-security-policy. 
  19. "CSP 2015". XSS Jigsaw. 23 November 2015. http://blog.innerht.ml/csp-2015/. 
  20. Lekies, Sebastian. "Collection of CSP bypasses". http://sebastian-lekies.de/csp/bypasses.php. 
  21. "An Abusive Relationship with AngularJS". 12 December 2015. http://www.slideshare.net/x00mario/an-abusive-relationship-with-angularjs. 
  22. OWASP (2017-05-25), AppSec EU 2017 Don't Trust The DOM: Bypassing XSS Mitigations Via Script Gadgets by Sebastian Lekies, https://www.youtube.com/watch?v=p07acPBi-qw, retrieved 2017-06-05 
  23. West, Mike (June 15, 2012). "An Introduction to Content Security Policy". HTML5 Rocks. http://www.html5rocks.com/en/tutorials/security/content-security-policy/. 
  24. "Content Security Policy Level 3". https://www.w3.org/TR/CSP/Overview.html. 
  25. "CSP: report-to - HTTP | MDN". https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to. 
  26. For example in Django a CSP receiver is available in django-security module.
  27. "Flaring The Blue Team - When You Confuse Them You Lose Them" (in en). 2018-11-04. https://www.secjuice.com/red-team-flaring-using-report-uri/. 
  28. "CSP Processing Model". 2012-11-15. http://www.w3.org/TR/CSP/#processing-model. 
  29. "CSP 1.1: Add non-normative language for extensions.". GitHub. 27 Feb 2014. https://github.com/w3c/webappsec/commit/73963d509b20513a6f42b1e0839715aca8b578b0. 
  30. "Bug 866522 - Bookmarklets affected by CSP". Mozilla. 28 Apr 2013. https://bugzilla.mozilla.org/show_bug.cgi?id=866522. 
  31. "Subverting CSP policies for browser add-ons (extensions).". 2013-09-25. https://www.w3.org/Bugs/Public/show_bug.cgi?id=23357. 
  32. "Re: [CSP Request to amend bookmarklet/extensions sentence in CSP1.1"]. 2014-08-03. http://lists.w3.org/Archives/Public/public-webappsec/2014Aug/0004.html. 
  33. 33.0 33.1 "Web Application Security Working Group". https://github.com/w3c/webappsec. 
  34. "Noscript security suite addon for Firefox". https://addons.mozilla.org/en-US/firefox/addon/noscript/. 
  35. "The NoScript Firefox extension — Official site". https://noscript.net/. 
  36. "HTTP Switchboard for Chrome". https://chrome.google.com/webstore/detail/http-switchboard/mghdpehejfekicfjcdbfofhcmnjhgaag. 
  37. "HTTP Switchboard for Opera". https://addons.opera.com/en/extensions/details/http-switchboard/. 

External links




Licensed under CC BY-SA 3.0 | Source: https://handwiki.org/wiki/Content_Security_Policy
15 views | Status: cached on July 13 2024 12:21:50
↧ Download this article as ZWI file
Encyclosphere.org EncycloReader is supported by the EncyclosphereKSF