Saturday, May 23, 2020

CSP (Content Security Policy) - Part 2

About 3 years ago, I had a blog to talk about the same topic regarding CSP. Now, I want to revisit this to do a refresh as the security team recently enforced this adoption in products. The following knowledge and information are based on google developer document

CSP defines the Content-Security-Policy HTTP header, which allows you to create a whitelist of sources of trusted content, and instructs the browser to only execute or render resources from those sources.

CSP provides a rich set of policy directives that enable fairly granular control over the resources that a page is allowed to load

By default, directives are wide open. CSP provides a default-src directive to allow you override this default behavior. script-src, style-src, img-src, media-src, font-src, connect-src, object-src, child-src etc *-src directives will take this default as a fallback.

CSP preferred delivery mechanism is an HTTP header. It can be useful, however, to set a policy on a page directly in the html markup.
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; child-src 'none'; object-src 'none'">
Content-Security-Policy-Report-Only header
The policy specified in report-only mode won't block restricted resources, but it will send violation reports to the location you specify.

You can use as many or as few of these directives as makes sense for your specific application, simply listing each in the HTTP header, separating directives with semicolons.

Content-Security-Policy: default-src 'none'; script-src https://cdn.mybank.net; style-src https://cdn.mybank.net; img-src https://cdn.mybank.net; connect-src https://api.mybank.com; child-src 'self'

Content-Security-Policy: default-src https://cdn.example.net; child-src 'none'; object-src 'none'


No comments:

Post a Comment