Content Security Policy Basics

What is Content Security Policy (CSP)?

Response headers that allows web site administrators to control which resources are loaded on a given page. We control this by setting policies structured below:

Content-Security-Policy: <policy-directive>; <policy-directive>

The following example creates a default source to 'self' (server origin) and a style-src to 'self' and allows any css loaded from a somedomain.com domain:

Content-Secuirty-Policy: default src 'self'; style-src 'self' *.somedomain.com;

What is Cross-Site Scripting (XSS)?

Cross-SIte Scripting, is a client-side code injection attack. One type of vulnerable a page has to this kind of attacks if it does not validate or encode text that is entered to it's input control. With this a hacker can input a malicious script on the text then when saved and loaded back, the page would then execute that script.

Types of XSS Attacks

• Embedding of External Resources on the Page
• Writing Scripts to the Page Source
• Modifying the Document Object Model (DOM)

Please find link on the References section below for more information about Cross-Site Scripting.

Commonly Used Directives

Policy Directive	Description
default-src	This directive contains the default values, for example if script-src is not specified, it used what is set on the default-src
script-src	This directive controls the script resources locations (.js files), if we have referenced remote scripts we can specify the url for that on this directive
style-src	This directive controls the style resources locations
object-src	This directive controls being loaded on the page ex. flash
media-src	This directive controls the media resources being loaded ex. mp3
frame-ancestors	This directive controls which sources can load the page into a child frame

For other directives please refer to the link found on the References section below

Built-in Directive Values

Source Name	Description
'self'	Refers to the origin from which request/response is being served. This allows all scripts from the origin server.
'none'	Explicitly disallow script sources
'unsafe-inline'	Allows scripts that are coded in-line: ex: <button id='sampleId' onclick='confirm('are you sure?')' />
'unsafe-eval'	Allows scripts that use the eval() method, which creates javascript code from strings ex: var value = eval(new String(a + b))

Tools
https://report-uri.com/home/generate

References:

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

https://cspvalidator.org

https://app.pluralsight.com/player?course=browser-security-headers&author=troy-hunt&name=browser-security-headers-m4&clip=0&mode=live - Pluralsight

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)