This overview highlights a defense that can significantly reduce the risk and impact of XSS attacks in modern browsers: Content Security Policy (CSP).
The CSP security standard enables web developers to control the resources (script, CSS, plugins, images, etc.) which a particular page can fetch or execute with the aim of preventing cross-site scripting (XSS), clickjacking, and other code injection attacks seeking to execute malicious content in the context of a trusted web page.
From OWASP Top 10 - 2017 A7 Cross-Site Scripting (XSS)
Enabling a Content Security Policy (CSP) is a defense-in-depth mitigating control against XSS.
This can be controlled via the Content-Security-Policy HTTP Header. The CSP Cheat Sheet “is a concise overview of all supported features and directives” and “can be used as a quick reference guide” because of the many examples and external links. CSP is supported at various levels in all major browsers (see https://caniuse.com/#search=Content%20Security%20Policy). Twitter even sends different policies to different browsers (see secureheaders/policy_management.rb at master · twitter/secureheaders · GitHub ), but they could do even better (see Optimising Twitter’s CSP header).
Some articles for getting started:
- Google Online Security Blog: Reshaping web defenses with strict Content Security Policy
- Introduction - Content Security Policy
- My Blog Now Has a Content Security Policy - Here’s How I’ve Done It
- A proper Content Security Policy Generator | 4ARMED
- How to Get Started with a Content Security Policy
- Building a Content Security Policy configuration with CSP Auditor
- GitHub’s post-CSP journey | GitHub Engineering
- Making CSP great again! - Michele Spagnuolo and Lukas Weichselbaum // Speaker Deck
- Learning Path: Modern Web Pillars—Security [Learning Path] (Safari Online Video)
The HTTP Content-Security-Policy-Report-Only response header allows web developers to experiment with policies by monitoring (but not enforcing) their effects. Several tools leverage this browser reporting to help developers create policies:
- Fiddler: GitHub - david-risney/CSP-Fiddler-Extension: Content Security Policy rule collector extension for Fiddler
- OWASP ZAP: GitHub - GoSecure/csp-auditor: Burp and ZAP plugin to analyse Content-Security-Policy headers or generate template CSP c…
- Chrome: GitHub - 4ARMED/csp-generator-extension: Google Chrome Extension for interacting with 4ARMED’s Content Security Policy G… along with GitHub - 4ARMED/csp-backend: Sinatra app that accepts CSP violation reports and generates policies based on them.
- Report URI CSP Wizard: https://scotthelme.co.uk/report-uri-csp-wizard/
- Report URI: https://report-uri.com/home/tools
- Firefox: Display security and privacy policies - Firefox Developer Tools | MDN
- Google: CSP Evaluator
- GitHub - nico3333fr/CSP-useful: Collection of scripts, thoughts about CSP (Content Security Policy)
Since an invalid or incorrect policy will break the web applications, testing is important. A good strategy is to start with a basic policy (like this one which forces all content to use HTTPS) and build it out to be even more secure.
Content-Security-Policy: default-src https:; form-action https:; connect-src https: wss:; upgrade-insecure-requests
How to implement Content Security Policy? | DareBoost Blog comments “that it is possible to use both Content-Security-Policy and Content-Security-Policy-Report-Only headers” which would allow for a basic policy to be in place and an experimental policy to be reported on, either in a lower environment or as part of a testing suite.