Content Security Policy
CSP was originally developed by the Mozilla Foundation and was first implemented in Firefox 4. As of 2012 the CSP is a W3C candidate. The following header names are in use as part of an experimental CSP implementations:
Content-Security-Policy— standard header name proposed by the W3C document. Google Chrome supports this as of version 25. Firefox supports this as of version 23, released on 6 August 2013.
X-WebKit-CSP— experimental header introduced into Google Chrome and other WebKit-based browsers (Safari) in 2011.
X-Content-Security-Policy— experimental header introduced in Gecko 2 based browsers (Firefox 4 to Firefox 22, Thunderbird 3.3, SeaMonkey 2.1).
New CSP 1.1 specification is being developed by W3C.
Mode of operation
<script></script>, DOM event attributes like
onclick, and anchor tags with an
- dynamic code evaluation (via
eval()and string arguments for both
setInterval) are blocked (can be enabled by
Recommended coding practices for CSP-compatible web applications is to load code from external source files (
<script src>), parse JSON instead of evaluating it and use inline functions for other statements.
Content-Security-Policy-Report-Only header is present in the server response, a compliant client monitors and reports only without enforcing the declarative whitelist policy. This is useful during development.
Browser Add-Ons and Extensions Exemption
According to the CSP Processing Model, CSP should not interfere with the operation of browser add-ons or extensions installed by the user. This feature of CSP effectively allows any add-on or extension to inject script into web sites, regardless of the origin of that script, and thus be exempt to CSP policies. The W3C Web Application Security Working Group considers such script to be part of the Trusted Computing Base implemented by the browser; however, some consider this exemption to be a potential security hole that could be exploited by malicious or compromised add-ons or extensions.
- NoScript — anti-XSS protection and Application Boundaries Enforcer (ABE)
- Sid Stamm (2009-03-11). "Security/CSP/Spec - MozillaWiki". wiki.mozilla.org. Retrieved 2011-06-29. "Content Security Policy is intended to help web designers or server administrators specify how content interacts on their web sites. It helps mitigate and detect types of attacks such as XSS and data injection."
- "State of the draft". 2011-11-30. Retrieved 2011-12-30.
- "Content Security Policy 1.0". W3C Candidate Recommendation. 15 November 2012. Retrieved February 22, 2013.
- "Can I use Content Security Policy?". Fyrd. Retrieved February 22, 2013.
- "Chrome 25 Beta: Content Security Policy and Shadow DOM". Google. January 14, 2013. Retrieved February 22, 2013.
- "Content Security Policy 1.0 lands in Firefox Aurora". Mozilla Foundation. May 29, 2013. Retrieved June 16, 2013.
- "RapidRelease/Calendar". Mozilla Foundation. May 29, 2013. Retrieved June 16, 2013.
- "New Chromium security features, June 2011". Google. June 14, 2011. Retrieved February 22, 2013.
- "Introducing Content Security Policy". Mozilla Foundation. Retrieved February 22, 2013.
- "Defense in Depth: Locking Down Mash-Ups with HTML5 Sandbox". Windows Internet Explorer Engineering Team. Retrieved April 13, 2014.
- "Proposals for Version 1.1". W3C. Retrieved March 22, 2013.
- "ngCsp directive". AngularJS.
- "Content security policy". GitHub.
- West, Mike (June 15, 2012). "An Introduction to Content Security Policy". HTML5 Rocks. Retrieved February 22, 2013.
- For example in Django a CSP receiver is available in django-security module.
- "Content Security Policy Builder".
- "CSP Processing Model". 2012-11-15. Retrieved 2013-10-06.
- "Subverting CSP policies for browser add-ons (extensions).". 2013-09-25. Retrieved 2013-10-06.