CSP

csp ben toews github

the problem

the old ﬁx

the problem

the new ﬁx

csp = no javascript + no css = 1995?

csp = source whitelisting!

X-Content-Security-Policy: default-src *; script-src https://github.com https://a24 8.e.akamai.net https://jobs.github.com h ttps://ssl.google-analytics.com
https://s ecure.gaug.es https://gist.github.com; s tyle-src https://github.com https://a248. e.akamai.net https://jobs.github.com htt ps://ssl.google-analytics.com https://sec ure.gaug.es https://gist.github.com 'uns afe-inline'; report-uri /errors Content-Se curity-Policy: default-src *; script-src htt ps://github.com https://a248.e.akamai.ne

Content-Security-Policy: X-WebKit-CSP: X-Content-Security-Policy:

default-src

script-src

style-src

object-src

img-src

media-src

frame-src

font-src

connect-src

Content-Security-Policy: img-scr ‘none’

Content-Security-Policy: img-scr ‘self’

Content-Security-Policy: img-scr ‘unsafe-inline’

Content-Security-Policy: img-scr ‘unsafe-eval’

Content-Security-Policy: img-scr https://me.com:443

ity-Policy: img-scr https:

ity-Policy: img-scr me.com

ity-Policy: img-scr *.me.com

ity-Policy: img-scr https://me.com

ity-Policy: img-scr me.com:443

Content-Security-Policy: default-src ‘self’; object-src h ttps://youtube.com; img-src http://foo.akami.com https://bar.akami.com;

report-uri

{ "csp-report": { "document-uri": "https://github.com/", "referrer": "", "blocked-uri": "self", "violated-directive":
"eval script base restriction", "source-file": "chrome://firebug/content/co...", "script-sample": "call to eval() or related...", "line-number": 166 } }

the end...

CSP

CSP

More Decks by Ben Toews

Other Decks in Technology

Featured

Transcript