HTTP Content Security Policy CSP

Content Security Policy (CSP) - Restrict what network requests can be made from the browser.

Preventor: Prevent Cross Site Scripting (XSS) and data injection attacks. Attacks: data theft to site defacement or distribution of malware. Extract Security: Add scripts to detect and remove new child elements which where appended to head programatically: document.head.appendChild(linkEl);

• Implementation via HTML Document meta: <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';">
• Or via Response Headers:

HTTP/1.1 200 OK
Content-Security-Policy: default-src 'self'

All Directives: CSP: base-uri CSP: block-all-mixed-content CSP: child-src CSP: connect-src CSP: default-src CSP: font-src CSP: form-action CSP: frame-ancestors CSP: frame-src CSP: img-src CSP: manifest-src CSP: media-src CSP: object-src CSP: plugin-types CSP: referrer CSP: report-uri CSP: require-sri-for CSP: sandbox CSP: script-src CSP: style-src CSP: upgrade-insecure-requests CSP: worker-src

Scenarios:

1. All content to come from the site's own origin (this excludes subdomains.) Content-Security-Policy: default-src 'self'

2. Allow content from a trusted domain and all its subdomains Content-Security-Policy: default-src 'self' *.trusted.com

3. Allow users of a web application to include images from any origin in their own content, but to restrict audio or video media to trusted providers, and all scripts only to a specific server that hosts trusted code. Content-Security-Policy: default-src 'self'; img-src *; media-src media1.com media2.com; script-src userscripts.example.com

4. Google Example content-security-policy:script-src 'report-sample' 'nonce-5RuK3R6qmnCwuGS36OPlNb9vAjI' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri /cspreport

5. Restrict endpoints used as target of form submissions Content-Security-Policy: form-action coderecipes.org;