Security/CSP/Deploying: Difference between revisions
| Line 35: | Line 35: | ||
=== <tt>eval()</tt> === | === <tt>eval()</tt> === | ||
; The Problem : | |||
; General Solution : | |||
; Conversion Steps: | |||
=== setTimeout() === | === setTimeout() === | ||
; The Problem : | |||
; General Solution : | |||
; Conversion Steps: | |||
=== setInterval() === | === setInterval() === | ||
; The Problem : | |||
; General Solution : | |||
; Conversion Steps: | |||
=== new Function() === | === new Function() === | ||
; The Problem : | |||
; General Solution : | |||
; Conversion Steps: | |||
== Often Misused Feature Clean up == | == Often Misused Feature Clean up == | ||
Revision as of 22:29, 2 July 2009
In this article, we'll recommend steps that can be taken to modify a web site so that it will support CSP base restrictions. We will also explain how to craft a CSP policy for a site that will provide a maximum amount of protection.
Supporting CSP base restrictions
While restricting content loads by source may help mitigate attacks, there are base restrictions needed to properly avoid more complex XSS script injection attacks. Let's take a look at all of the base restrictions employed by CSP and see how equivalent functionality can be obtained through other techniques.
Until a site has been converted to support these base restrictions, the "inline" and "eval" keywords in the script-src directive can be used to disable them. The effort required to support the base restrictions will vary by site, but we'll provide some guidelines on how to convert sites, one restriction at a time.
Removing Inline Scripts
You can skip this part by adding the inline keyword to the script-src directive in your site's CSP policy definition.
Inline scripts are more easily injected into a site than their externally sourced counterparts. This is a side effect of mixing code and content.
<script> tags with text child nodes
- The Problem
- General Solution
- Conversion Steps
javascript: URIs
- The Problem
- General Solution
- Conversion Steps
Event handling attributes in HTML tags
- The Problem
- There are many HTML event handling attributes (on*) that can contain strings to be evaluated as script.
- General Solution
- Conversion Steps
Removing "eval()"-like features
You can skip this part by adding the eval keyword to the script-src directive in your site's CSP policy definition.
Code generated on the fly can accidentally (or intentionally) contain user-specified content; any strings converted into script code during the run-time of a web application has the potential to be augmented and abused by an attacker. As a result, these must be removed from a site.
eval()
- The Problem
- General Solution
- Conversion Steps
setTimeout()
- The Problem
- General Solution
- Conversion Steps
setInterval()
- The Problem
- General Solution
- Conversion Steps
new Function()
- The Problem
- General Solution
- Conversion Steps
Often Misused Feature Clean up
- data: URIs
- XBL bindings