02 July 2013

Time to Review/Implement Content Security Policy v1.0

Content Security Policy v1.0 is now (mostly) supported by Firefox (23+) and Chrome (25+). There is also partial support in Internet Explorer (10+).

Photograph of a sculture at Tate Modern, London, formed from hanging clear and smoked glass plates in a room with a blue line drawn around the wall

Content Security Policy is an HTTP header set by the server and enforced by the web browser (client) as a defence against cross-site scripting vulnerabilities. The experimental headers X-Content-Security-Policy and should now be replaced by the standard Content-Security-Policy.

The announcement by Mozilla regarding support for v1.0 in Firefox provided a good overview of recent changes and links to further information resources.

The steps I would recommend to introduce Content Security Policy (CSP) are:

  1. Choose one pilot web application and a single functional area with greater security assurance requirements (e.g. payment, checkout, order submission, authentication)
  2. Create a change request for deployment to production and assess the risks
  3. Attempt to remove all inline JavaScript, all inline styles and as much third-party content as possible from the functional area
  4. Create an initial Content-Security-Policy header in development, test locally and apply to staging/test systems
  5. Undertake existing unit tests for the functional area using the latest, recent and legacy web browsers
  6. Make changes to code and/or the policy to determine what can be achieved
  7. Build a mechanism to collect the violation reports, ensuring all data is treated as untrusted and is correctly encoded when utilised, and add a report-uri directive to the header to verify the mechanism
  8. In production, add the directives as a Content-Security-Policy-Report-Only header to the functional area (i.e. not as a Content-Security-Policy header)
  9. Monitor and assess the violation reports
  10. Adjust the policy as necessary and re-test, and re-deploy
  11. Once approved, change the header from Content-Security-Policy-Report-Only to an enforced Content-Security-Policy header for a test group of users
  12. Monitor and update the policy as necessary, and re-test/re-deploy
  13. Gradually extend to all users
  14. Update coding standards so that future development is compatible with the CSP
  15. Repeat for other functional areas
  16. Apply CSP policies to the remainder of the web application (with differing policies as necessary).

This blog's CSP header states the web server wishes the page only loads resources from its own origin over TLS, without frame embedding, but modify the style-src directive to allow inline styles. Thus no unsafe use of inline scripting or eval are disallowed. Also, a URL is specified for CSP violation reports. The header is:

default-src https: 'self'; frame-src 'none'; style-src 'self' 'unsafe-inline'; report-uri https://www.clerkendweller.uk/report-csp.php

I have also noticed some inconsistencies in this inline styles aspect between web browsers, and also in the use of the frame-src directive. It is expected these anomalies will disappear as use of the header broadens and deployment matures. As usual it is necessary to test the use of the header across multiple browser types and versions. There also seems to be an issue with some bookmarking tools and browser extensions causes false positive reports, so use of the report-uri directive can be somewhat noisy in public parts of web applications.

Content Security Policy v1.1 is now also in progress, but do not let this on-going work delay implementation of v1.0 now.

Posted on: 02 July 2013 at 18:55 hrs

Comments Comments (3) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Nice article!

Please feel encouraged to file bugs for the inconsistencies you're seeing. I'd be happy to address Chromium issues, for example. :)

-mike
1 Added by Mike West Posted on 03 July 2013 at 07:08 hrs
Thanks Mike. I'll aggregate the issues I'm seeing and file them.
2 Added by Clerkendweller Posted on 03 July 2013 at 08:57 hrs
Thanks! http://crbug.com/new is the right place to drop new issues, but feel free to email me directly to make sure I see the bugs [removed].

-mike
3 Added by Mike West Posted on 03 July 2013 at 09:06 hrs
Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Time to Review/Implement Content Security Policy v1.0
https://www.clerkendweller.uk/2013/7/2/Time-to-Review-Implement-Content-Security-Policy-version-1-0
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Page https://www.clerkendweller.uk/2013/7/2/Time-to-Review-Implement-Content-Security-Policy-version-1-0
Requested by 54.81.41.14 on Saturday, 4 July 2015 at 02:35 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2013-2015 clerkendweller.uk