Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
CSP
Search
Ben Toews
January 10, 2013
Technology
310
7
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
CSP
Content Security Policy
Ben Toews
January 10, 2013
More Decks by Ben Toews
See All by Ben Toews
GitHub AppSec: Keeping up with 111 prolific engineers
mastahyeti
0
130
The sky is falling: Nephological tales of security woe
mastahyeti
0
50
State of the Union: Advances in Web Application and Browser Security
mastahyeti
2
120
Other Decks in Technology
See All in Technology
AWS Summit の片隅で、体育座りしながらコミュニティがにぎわう理由を考えた
k_adachi_01
2
370
インフラ寄りSREでも 開発に踏み出せる〜境界を越えてユーザー体験に向き合いたい〜
sansantech
PRO
2
3.4k
デジタル・デザイン:次の50年を描く「進化する青写真」
y150saya
0
840
事業価値を⽣み出すSREへ SREが担うべき意思決定の5層
kenta_hi
2
3.2k
Amazon EVS で VCF 9.0 / 9.1 のサポート開始まとめ
mtoyoda
0
290
ヘルスケア領域における AI 活用と その安全性担保のための取り組み (Leveraging AI in Healthcare and Our Efforts to Ensure Its Safety) - Google I/O Extended Tokyo 2026, July 11, 2026
zettaittenani
0
250
【Claude Code】鹿野さんに聞く 私の推しの並行開発環境 大公開 / claude-code-parallel-2026-07-15
tonkotsuboy_com
9
4.5k
最近評価が難しくなった
maroon8021
0
270
Claude Code 珍プレー好プレー
shinyasaita
0
310
オブザーバビリティ、本当に活用できてる? 〜API連携×生成AIで成熟度を自動評価〜
dmmsre
1
2.7k
最適な自走を最小限の支援で — M&Aで拡大する組織で少人数SREが挑んだ1年 / SRE NEXT 2026
genda
0
900
[2026-07-15] AI Ready なはずだったアーキテクチャと、見えてきた課題・次に目指す状態
wxyzzz
4
1.9k
Featured
See All Featured
Neural Spatial Audio Processing for Sound Field Analysis and Control
skoyamalab
0
370
JAMstack: Web Apps at Ludicrous Speed - All Things Open 2022
reverentgeek
1
490
Speed Design
sergeychernyshev
33
1.9k
HDC tutorial
michielstock
2
740
What’s in a name? Adding method to the madness
productmarketing
PRO
24
4.1k
Statistics for Hackers
jakevdp
799
230k
Site-Speed That Sticks
csswizardry
13
1.2k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
47
8.2k
Leo the Paperboy
mayatellez
8
1.9k
Designing for humans not robots
tammielis
254
26k
SEO in 2025: How to Prepare for the Future of Search
ipullrank
3
3.6k
Mind Mapping
helmedeiros
PRO
1
280
Transcript
csp ben toews github
the problem
None
<script>alert(123)</script>
the old fix
<script>alert(123)</script>
the problem
None
<script>alert(123)</script>
the new fix
csp
<a onclick=‘doit()’>123</a>
<a onclick=‘doit()’>123</a>
<a href=‘javascript:doit()’>123</a>
<a href=‘javascript:doit()’>123</a>
<a style=‘display: block’>123</a>
<a style=‘display: block’>123</a>
csp = no javascript + no css = 1995?
csp = source whitelisting!
X-Content-Security-Policy: default-src *; script-src https://github.com https://a24 8.e.akamai.net https://jobs.github.com h ttps://ssl.google-analytics.com
https://s ecure.gaug.es https://gist.github.com; s tyle-src https://github.com https://a248. e.akamai.net https://jobs.github.com htt ps://ssl.google-analytics.com https://sec ure.gaug.es https://gist.github.com 'uns afe-inline'; report-uri /errors Content-Se curity-Policy: default-src *; script-src htt ps://github.com https://a248.e.akamai.ne
Content-Security-Policy: X-WebKit-CSP: X-Content-Security-Policy:
default-src
script-src
style-src
object-src
img-src
media-src
frame-src
font-src
connect-src
Content-Security-Policy: img-scr ‘none’
Content-Security-Policy: img-scr ‘self’
Content-Security-Policy: img-scr ‘unsafe-inline’
Content-Security-Policy: img-scr ‘unsafe-eval’
Content-Security-Policy: img-scr https://me.com:443
ity-Policy: img-scr https:
ity-Policy: img-scr me.com
ity-Policy: img-scr *.me.com
ity-Policy: img-scr https://me.com
ity-Policy: img-scr me.com:443
Content-Security-Policy: default-src ‘self’; object-src h ttps://youtube.com; img-src http://foo.akami.com https://bar.akami.com;
report-uri
{ "csp-report": { "document-uri": "https://github.com/", "referrer": "", "blocked-uri": "self", "violated-directive":
"eval script base restriction", "source-file": "chrome://firebug/content/co...", "script-sample": "call to eval() or related...", "line-number": 166 } }
the end...