Preventing XSS with Content Security Policy
An individual XSS can be easily remediated with contextual output encoding per the OWASP XSS Prevention Cheat Sheet. Although an individual XSS can easily be addressed, the overall cat and mouse game of effectively ridding an application of XSS can be very difficult. To combat this problem a new security feature, Content Security Policy, has been introduced into the Mozilla Firefox browser.
Content Security Policy (CSP) is an opt-in white list approach for defining what external scripts sources are allowed to execute JavaScript or other content loading code (e.g. iframes) within the page. By eliminating inline scripts and defining a white list of allowed external scripts it is possible to strictly control what JavaScript is executed within the page. In the event that a user injected script into the page via an improperly encoded piece of user controlled data, then Content Security Policy would identify that the JavaScript is not part of the white-listed data and the browser will disregard this unauthorized script.
Here's a basic overview of the CSP process:
Violation Reporting
The violation reporting component is another huge benefit of using CSP that can be enabled by providing a value for the policy-uri field within the site's specific Content Security Policy. In the event content (JavaScript, injected iframe, etc) is not allowed to execute due to CSP, the user's browser will issue a violation report back to the URL specified by the site's CSP. This means that a website owner can receive real time notifications of CSP violations that could be potential XSS attacks.
CSP Enabled Browsers
Content Security Policy is currently supported in Firefox 4. Although CSP is currently supported in only one browser, there are still many reasons to provide CSP support within a website. CSP will provide an added layer of protection to all web site users with a CSP enabled browser. In addition, CSP enabled browsers will also provide violation reporting feedback back to the web site owners in the event an XSS attack is somehow injected into the page. Finally, if CSP is well received then the intent is to formalize this into a standard and push for adoption within other browsers.
More Information
Michael Coates (@_mwc) & Brandon Sterne (@bsterne)
Content Security Policy (CSP) is an opt-in white list approach for defining what external scripts sources are allowed to execute JavaScript or other content loading code (e.g. iframes) within the page. By eliminating inline scripts and defining a white list of allowed external scripts it is possible to strictly control what JavaScript is executed within the page. In the event that a user injected script into the page via an improperly encoded piece of user controlled data, then Content Security Policy would identify that the JavaScript is not part of the white-listed data and the browser will disregard this unauthorized script.
Here's a basic overview of the CSP process:
- Externalize all JavaScript within the pages (e.g no inline script
tag, no inline JavaScript for onclick or other handling events ) - Define the policy for your site and whitelist the allowed domains where the externalized JavaScript is located.
- Add the X-Content-Security-Policy response header to instruct the browser that CSP is in use.
Violation Reporting
The violation reporting component is another huge benefit of using CSP that can be enabled by providing a value for the policy-uri field within the site's specific Content Security Policy. In the event content (JavaScript, injected iframe, etc) is not allowed to execute due to CSP, the user's browser will issue a violation report back to the URL specified by the site's CSP. This means that a website owner can receive real time notifications of CSP violations that could be potential XSS attacks.
CSP Enabled Browsers
Content Security Policy is currently supported in Firefox 4. Although CSP is currently supported in only one browser, there are still many reasons to provide CSP support within a website. CSP will provide an added layer of protection to all web site users with a CSP enabled browser. In addition, CSP enabled browsers will also provide violation reporting feedback back to the web site owners in the event an XSS attack is somehow injected into the page. Finally, if CSP is well received then the intent is to formalize this into a standard and push for adoption within other browsers.
More Information
- Spec: https://wiki.mozilla.org/Security/CSP/Specification
- Developer CSP Link: https://developer.mozilla.org/en/Introducing_Content_Security_Policy
- W3C Web App Security Working Group - CSP Link: http://www.w3.org/2010/07/appsecwg-charter#deliverables
- Mozilla Blog Post on CSP: http://blog.mozilla.com/security/2009/06/19/shutting-down-xss-with-content-security-policy/
- Sample Policy Definitions : https://wiki.mozilla.org/Security/CSP/Specification#Sample_Policy_Definitions
- Notes from one of the CSP creators (Brandon Sterne) : http://people.mozilla.com/~bsterne/content-security-policy/
Michael Coates (@_mwc) & Brandon Sterne (@bsterne)