Canmove, confirm
120
edits
Changes
adding links to summary page
This set of pages documents the Content Security Policy proposal put forward by Mozilla Security. The [[Security/CSP/Spec|formal specification]] contains detailed information on terminology and syntax used in CSP.
=Background=
The last 3 years have seen a dramatic increase in [http://weblog.infoworld.com/zeroday/archives/2007/10/study_90_percen.html both ] [http://weblog.infoworld.com/zeroday/archives/2007/11/report_90_perce.html awareness ] and [http://www.webappsec.org/projects/whid/statistics.shtml exploitation ] of Web Application Vulnerabilities. 2008 saw dozens of [http://www.webappsec.org/projects/whid/byyear_year_2008.shtml high-profile attacks ] against websites using Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) for the purposes of information stealing, website defacement, malware planting, etc.
It seems that while many sites are aware of these threats, and have programs in place to find and remediate the vulnerabilities, the sheer size and complexity of the websites make complete remediation of the security holes implausible. Browser vendors can do more to protect users from client-side attacks involving websites that are vulnerable to the classes of attacks mentioned above. This document proposes a mechanism that enables websites to define Content Security Policy which browsers can choose to enforce, restricting the capabilities of web content that make these attacks possible.
Content Security Policy is intended to mitigate a large class of Web Application Vulnerabilities: Cross Site Scripting. Cross Site Request Forgery has also become a large scale problem in Web Application Security, though it is not a primary focus of Content Security Policy.
A robust anti-CSRF mechanism is provided in the [[Security/Origin|Origin header proposal]], which is independent from Content Security Policy.
==Primary==
* Mitigate Cross Site Scripting (XSS)
** There are [http://www.cgisecurity.com/articles/xss-faq.shtml many ] [http://ha.ckers.org/xss.html good ] [http://www.owasp.org/index.php/Cross_Site_Scripting references ] for those needing to familiarize themselves with XSS and the associated risks.
** XSS exploits the client's trust of the content received from the server. Malicious script is executed by the victim's browser because the victim trusts the source of the content.
** Content Security Policy provides a way for server administrators to reduce or eliminate their XSS attack surface.
**# Website administrators specify which domains the browser should treat as valid sources of script.
**# The browser will only execute script in source files from the white-listed domains and will disregard everything else, including inline scripts and event-handling HTML attributes.
**#* Note: [[Security/CSP/Spec#event-hendling|event-handling ]] is still enabled in CSP without using HTML attributes.
**# Sites that never want to have JavaScript included in their pages can choose to globally disallow script.
* Mitigate Clickjacking
** [http://jeremiahgrossman.blogspot.com/2008/10/clickjacking-web-pages-can-see-and-hear.html Good ] [http://ha.ckers.org/blog/20080915/clickjacking/ references ] are available which describe the threat and impact of clickjacking.
** Clickjacking occurs when a malicious site directs a victim's mouse click onto an unintended target in another site, generally by framing the target site's content in a transparent <iframe>.
** Content Security Policy enables a site to specify [[Security/CSP/Spec#frame-ancestors|which sites may embed a resource]].
* Mitigate Packet Sniffing Attacks
** In addition to restricting the locations from which content can load, websites can also specify which [[Security/CSP/Spec#content-sources|protocols ]] may be used.
** A website can use Content Security Policy to enforce that all content is served securely over HTTPS.
*** Note: a complete strategy to enforce secure transmission of data will also include marking all cookies with the secure flag, and providing automatic redirects from HTTP pages to corresponding HTTPS pages.
