Content Security Policy on:
[Wikipedia]
[Google]
[Amazon]
Content Security Policy (CSP) is a
If the
computer security
Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...
standard introduced to prevent cross-site scripting
Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be ...
(XSS), clickjacking
Clickjacking (classified as a user interface redress attack or UI redressing) is a Malware, malicious technique of tricking a User (computing), user into clicking on something different from what the user perceives, thus potentially revealing Con ...
and other code injection
Code injection is a computer security exploit where a program fails to correctly process external data, such as user input, causing it to interpret the data as executable commands. An attacker using this method "injects" code into the program whi ...
attacks resulting from execution of malicious content in the trusted web page
A web page (or webpage) is a World Wide Web, Web document that is accessed in a web browser. A website typically consists of many web pages hyperlink, linked together under a common domain name. The term "web page" is therefore a metaphor of pap ...
context. It is a Candidate Recommendation of the W3C
The World Wide Web Consortium (W3C) is the main international standards organization for the World Wide Web. Founded in 1994 by Tim Berners-Lee, the consortium is made up of member organizations that maintain full-time staff working together in ...
working group on Web Application Security, widely supported by modern web browser
A web browser, often shortened to browser, is an application for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's scr ...
s. CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website—covered types are JavaScript
JavaScript (), often abbreviated as JS, is a programming language and core technology of the World Wide Web, alongside HTML and CSS. Ninety-nine percent of websites use JavaScript on the client side for webpage behavior.
Web browsers have ...
, CSS, HTML frames, web worker
A web worker, as defined by the World Wide Web Consortium (W3C) and the Web Hypertext Application Technology Working Group (WHATWG), is a JavaScript script executed from an HTML page that runs in the background, independently of scripts that m ...
s, fonts
In movable type, metal typesetting, a font is a particular #Characteristics, size, weight and style of a ''typeface'', defined as the set of fonts that share an overall design.
For instance, the typeface Bauer Bodoni (shown in the figure) inclu ...
, images, embeddable objects such as Java applet
Java applets were applet, small applications written in the Java (programming language), Java programming language, or another programming language that Compiled language, compiles to Java bytecode, and delivered to users in the form of Ja ...
s, ActiveX
ActiveX is a deprecated software framework created by Microsoft that adapts its earlier Component Object Model (COM) and Object Linking and Embedding (OLE) technologies for content downloaded from a network, particularly from the World Wide W ...
, audio and video files, and other HTML5
HTML5 (Hypertext Markup Language 5) is a markup language used for structuring and presenting hypertext documents on the World Wide Web. It was the fifth and final major HTML version that is now a retired World Wide Web Consortium (W3C) recommend ...
features.
Status
The standard, originally named Content Restrictions, was proposed by Robert Hansen in 2004, first implemented in Firefox 4 and quickly picked up by other browsers. Version 1 of the standard was published in 2012 as W3C candidate recommendation and quickly with further versions (Level 2) published in 2014. , the draft of Level 3 is being developed with the new features being quickly adopted by the web browsers. The following header names are in use as part of experimental CSP implementations: *Content-Security-Policy – standard header name proposed by the W3C document. Google Chrome
Google Chrome is a web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS, iOS, iPadOS, an ...
supports this as of version 25. Firefox supports this as of version 23, released on 6 August 2013. WebKit
WebKit is a browser engine primarily used in Apple's Safari web browser, as well as all web browsers on iOS and iPadOS. WebKit is also used by the PlayStation consoles starting with the PS3, the Tizen mobile operating systems, the Amazon K ...
supports this as of version 528 (nightly build). Chromium-based Microsoft Edge
Microsoft Edge is a Proprietary Software, proprietary cross-platform software, cross-platform web browser created by Microsoft and based on the Chromium (web browser), Chromium open-source project, superseding Edge Legacy. In Windows 11, Edge ...
support is similar to Chrome's.
* X-WebKit-CSP – deprecated, experimental header introduced into Google Chrome
Google Chrome is a web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS, iOS, iPadOS, an ...
, Safari
A safari (; originally ) is an overland journey to observe wildlife, wild animals, especially in East Africa. The so-called big five game, "Big Five" game animals of Africa – lion, African leopard, leopard, rhinoceros, African elephant, elep ...
and other WebKit-based web browsers in 2011.
* X-Content-Security-Policy – deprecated, experimental header introduced in Gecko 2 based browsers (Firefox 4 to Firefox 22, Thunderbird 3.3, SeaMonkey 2.1).
A website can declare multiple CSP headers, also mixing enforcement and report-only ones. Each header will be processed separately by the browser.
CSP can also be delivered within the HTML code using a meta tag
Meta most commonly refers to:
* Meta (prefix), a common affix and word in English ( in Greek)
* Meta Platforms, an American multinational technology conglomerate (formerly ''Facebook, Inc.'')
Meta or META may also refer to:
Businesses
* Meta (ac ...
, although in this case its effectiveness will be limited.
Internet Explorer 10
Internet Explorer 10 (IE10) is the tenth version of the Internet Explorer web browser and the successor to Internet Explorer 9, released by Microsoft on September 4, 2012. It is the default browser on Windows 8 and Windows Server 2012, and wa ...
and Internet Explorer 11
Internet Explorer 11 (IE11) is the eleventh and final version of the Internet Explorer web browser, by now retired. It was initially included in the release of Windows 8.1, Windows RT, Windows RT 8.1 and Windows Server 2012 R2 on October 17, 2013 ...
also support CSP, but only sandbox directive, using the experimental X-Content-Security-Policy header.
A number of web application frameworks support CSP, for example AngularJS
AngularJS (also known as Angular 1) is a discontinued free and open-source JavaScript-based web framework for developing single-page applications. It was maintained mainly by Google and a community of individuals and corporations. It aimed to si ...
(natively) and Django (middleware). Instructions for Ruby on Rails
Ruby on Rails (simplified as Rails) is a server-side web application framework written in Ruby under the MIT License. Rails is a model–view–controller (MVC) framework, providing default structures for a database, a web service, and web pa ...
have been posted by GitHub
GitHub () is a Proprietary software, proprietary developer platform that allows developers to create, store, manage, and share their code. It uses Git to provide distributed version control and GitHub itself provides access control, bug trackin ...
. Web framework support is however only required if the CSP contents somehow depend on the web application's state—such as usage of the nonce origin. Otherwise, the CSP is rather static and can be delivered from web application tiers above the application, for example on load balancer
In computing, load balancing is the process of distributing a set of tasks over a set of resources
''Resource'' refers to all the materials available in our environment which are Technology, technologically accessible, Economics, economically ...
or web server
A web server is computer software and underlying Computer hardware, hardware that accepts requests via Hypertext Transfer Protocol, HTTP (the network protocol created to distribute web content) or its secure variant HTTPS. A user agent, co ...
.
Bypasses
In December 2015 and December 2016, a few methods of bypassing'nonce' allowlisting origins were published. In January 2016, another method was published, which leverages server-wide CSP allowlisting to exploit old and vulnerable versions of JavaScript libraries hosted at the same server (frequent case with CDN servers). In May 2017 one more method was published to bypass CSP using web application frameworks code.
Mode of operation
If the Content-Security-Policy header is present in the server response, a compliant client enforces the declarative allowlist policy. One example goal of a policy is a stricter execution mode for JavaScript in order to prevent certain cross-site scripting attacks. In practice this means that a number of features are disabled by default:
* Inline JavaScript
JavaScript (), often abbreviated as JS, is a programming language and core technology of the World Wide Web, alongside HTML and CSS. Ninety-nine percent of websites use JavaScript on the client side for webpage behavior.
Web browsers have ...
code
**