canmove, Confirmed users
1,537
edits
Security/CSP/Deploying: Difference between revisions
Jump to navigation
Jump to search
→Writing an effective policy
m (→setTimeout()) |
|||
| Line 101: | Line 101: | ||
= Writing an effective policy = | = Writing an effective policy = | ||
This section will describe how to write an effective policy. ''This is guidance, not an absolutely perfect algorithm, since the best policy for any given site is relative to the content served upon it and relationships the site has with other entities.'' | |||
Best practice for writing a Content Security Policy is to start with the most restrictive policy possible, and expand it as needed. | |||
allow 'none' | |||
Expansion can be done on a per-use basis (a directive at a time) or based on hosts that are ultimately trusted. | |||
'''Use-based Expansion''': | |||
For each directive, identify the sources for the respective type of content, and enumerate them. For example, consider a situation where scripts are served from the same source and images from a separate subdomain. | |||
allow 'none'; script-src 'self'; img-src 'self' images.mysite.com | |||
As a policy gets more detailed, and the host lists for directives get long, wildcards can be introduced. While host segment wildcards will simplify the policy, they also open up the site to using sources that may not be anticipated. ''Wildcards should be used with caution, and only when the common superdomain is trusted and exerts control over its subdomains.'' | |||
allow 'none'; script-src 'self'; img-src 'self' pics.mysite.com images.mysite.com | |||
allow 'none'; script-src 'self'; img-src *.mysite.com | |||
If all directives in a policy have common sources, those sources can be placed into the allow directive. Before doing this, it is important to analyze the directives list, and ensure that every kind of content may be loaded from that source. | |||
allow 'none'; script-src 'self' site-stats.com; img-src 'self'; ... | |||
allow 'self'; script-src 'self' site-stats.com | |||
In fact, many policies will start with <tt>allow 'self'</tt>, to both simplify the policy and to open up the base document's source as a valid source for all types of content. Many sites serve all content from the same source, so this <tt>allow 'self'</tt> policy will work well. | |||
==Example: Media and Object == | ==Example: Media and Object == | ||