Content Security Policy

46 篇文章 0 订阅

http://en.wikipedia.org/wiki/Content_Security_Policy


Content Security Policy (CSP) is a computer security concept, to prevent cross-site scripting (XSS) and related attacks.[1] It is a Candidate Recommendation of the W3CWorking group on Web Application Security.[2] CSP provides a standard HTTP header that allows website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScriptCSSHTML framesfonts, images and embeddable objects such as Java appletsActiveX, audio and video files.

Status[edit]

CSP was originally developed by the Mozilla Foundation and was first implemented in Firefox 4. As of 2012 the CSP is a W3C candidate.[3] The following header names are in use as part of an experimental CSP implementations:[4]

  • Content-Security-Policy — standard header name proposed by the W3C document. Google Chrome supports this as of version 25.[5] Firefox supports this as of version 23,[6]released on 6 August 2013.[7]
  • X-WebKit-CSP — experimental header introduced into Google Chrome and other WebKit-based browsers (Safari) in 2011.[8]
  • X-Content-Security-Policy — experimental header introduced in Gecko 2 based browsers (Firefox 4 to Firefox 22, Thunderbird 3.3, SeaMonkey 2.1).[9]

Support for the sandbox directive is also available in Internet Explorer 10 using the experimental X-Content-Security-Policy header.[citation needed]

New CSP 1.1 specification is being developed by W3C.[10]

There's initial support for CSP in some web frameworks such as AngularJS[11] and Django.[12] Instructions for Ruby on Rails have been posted by GitHub.[13]

Mode of operation[edit]

If the Content-Security-Policy header is present in the server response, a compliant client enforces the declarative whitelist policy. One example goal of a policy is a more strict execution mode for JavaScript in order to prevent certain cross-site scripting attacks. In practice this means that a number of features are disabled by default:

  • inline JavaScript (e.g. <script></script>, DOM event attributes like onclick, and anchor tags with an href value that starts with "javascript:") are blocked - all script code must reside in separate files, served from a whitelisted domain (can be enabled by unsafe-inline),
  • dynamic code evaluation (via eval() and string arguments for both setTimeout and setInterval) are blocked (can be enabled by unsafe-eval)

Recommended coding practices for CSP-compatible web applications is to load code from external source files (<script src>), parse JSON instead of evaluating it and use inline functions for other statements.[14]

In addition to restricting execution of JavaScript, a policy can specify where resources can be loaded from for a given page. This includes CSS, JavaScript, images, frames, applets, Ajax, etc.[15]

If the Content-Security-Policy-Report-Only header is present in the server response, a compliant client monitors and reports only without enforcing the declarative whitelist policy. This is useful during development.

Reporting[edit]

Anytime a requested resource or script execution violates the policy, the browser will fire a POST request to the value specified in report-uri[16] containing details of the violation.

CSP reports are standard JSON structures and can be captured either by application's own API[17] or public CSP report receivers.[18]

Browser Add-Ons and Extensions Exemption[edit]

According to the CSP Processing Model,[19] CSP should not interfere with the operation of browser add-ons or extensions installed by the user. This feature of CSP effectively allows any add-on or extension to inject script into web sites, regardless of the origin of that script, and thus be exempt to CSP policies. The W3C Web Application Security Working Group considers such script to be part of the Trusted Computing Base implemented by the browser; however, some consider this exemption to be a potential security hole that could be exploited by malicious or compromised add-ons or extensions.[20]


评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值