Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A primer on Content Security Policy

A primer on Content Security Policy

Content Security Policy (CSP) is as a security concept aiming to prevent XSS and other forms of browser–based attacks right where they happen — in the browser. CSP has been around for a little while but it’s only now that browser vendors are closing in on implementing most of the W3C specification.

This talk will take a look at what CSP is, why it matters and how to use it with Ruby–based web applications.

References: https://gist.github.com/polarblau/9efa552df23b3cd8f967

Florian Plank

October 02, 2014
Tweet

More Decks by Florian Plank

Other Decks in Programming

Transcript

  1. XSS

  2. <STYLE>li {list-style-image: ↵ url(“javascript:alert(‘XSS')");} ↵ </STYLE><UL><LI>XSS</br> ! <IMG SRC="jav&#x0A;ascript:alert('XSS');"> !

    <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114; ↵ &#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114; ↵ &#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;> ! <IMG SRC=/ ↵ onerror=“alert(String.fromCharCode(88,83,83))”> ↵ </img>
  3. class CSP def initialize(app, options={}) @app = app end def

    call(env) status, headers, body = @app.call(env) response = Rack::Response.new body, status, headers response['Content-Security-Policy'] = "script-src 'self'" response.finish end end
  4. class CSPReporter def call(env) report_data = JSON.parse(env['rack.input'].read) report_data = report_data['csp-report']

    if report_data Logger.new(‘logs/csp_report.log’).warn( format_report(report_data) ) end end private def format_report(data) # ... end end
  5. default: &default scope: "*" directives: - scripts: self https://google.com !

    report: <<: *default directives: - report_uri: /csp_report