Content Security Policy (CSP) is a
computer security
Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, t ...
standard introduced to prevent
cross-site scripting
Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability m ...
(XSS),
clickjacking
Clickjacking (classified as a user interface redress attack or UI redressing) is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or ...
and other
code injection
Code injection is the exploitation of a computer bug that is caused by processing invalid data. The injection is used by an attacker to introduce (or "inject") code into a vulnerable computer program and change the course of execution. The re ...
attacks resulting from execution of malicious content in the trusted
web page context.
It is a Candidate Recommendation of the
W3C
The World Wide Web Consortium (W3C) is the main international standards organization for the World Wide Web. Founded in 1994 and led by Tim Berners-Lee, the consortium is made up of member organizations that maintain full-time staff working to ...
working group on Web Application Security,
widely supported by modern
web browser
A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used o ...
s.
CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website—covered types are
JavaScript
JavaScript (), often abbreviated as JS, is a programming language that is one of the core technologies of the World Wide Web, alongside HTML and CSS. As of 2022, 98% of websites use JavaScript on the client side for webpage behavior, of ...
,
CSS,
HTML frame
In the context of a web browser, a frame is a part of a web page or browser window which displays content independent of its container, with the ability to load content independently. The HTML or media elements shown in a frame may come from a ...
s,
web worker
A web worker, as defined by the World Wide Web Consortium (W3C) and the Web Hypertext Application Technology Working Group (WHATWG), is a JavaScript script executed from an HTML page that runs in the background, independently of scripts that ma ...
s,
fonts
In metal typesetting, a font is a particular size, weight and style of a typeface. Each font is a matched set of type, with a piece (a " sort") for each glyph. A typeface consists of a range of such fonts that shared an overall design.
In mod ...
, images, embeddable objects such as
Java applet
Java applets were small applications written in the Java programming language, or another programming language that compiles to Java bytecode, and delivered to users in the form of Java bytecode. The user launched the Java applet from a ...
s,
ActiveX
ActiveX is a deprecated software framework created by Microsoft that adapts its earlier Component Object Model (COM) and Object Linking and Embedding (OLE) technologies for content downloaded from a network, particularly from the World Wide We ...
, audio and video files, and other
HTML5
HTML5 is a markup language used for structuring and presenting content on the World Wide Web. It is the fifth and final major HTML version that is a World Wide Web Consortium (W3C) recommendation. The current specification is known as the HTML ...
features.
Status
The standard, originally named Content Restrictions, was proposed by Robert Hansen in 2004,
first implemented in
Firefox 4
Mozilla Firefox 4 is a version of the Firefox web browser, released on March 22, 2011. The first beta was made available on July 6, 2010; Release Candidate 2 (a base for the final version) was released on March 18, 2011. It was codenamed Tum ...
and quickly picked up by other browsers. Version 1 of the standard was published in 2012 as W3C candidate recommendation and quickly with further versions (Level 2) published in 2014. draft of Level 3 is being developed with the new features being quickly adopted by the web browsers.
The following header names are in use as part of experimental CSP implementations:
*
Content-Security-Policy
– standard header name proposed by the W3C document.
Google Chrome supports this as of version 25. Firefox supports this as of version 23, released on 6 August 2013.
WebKit
WebKit is a browser engine developed by Apple and primarily used in its Safari web browser, as well as on the iOS and iPadOS version of any web browser. WebKit is also used by the BlackBerry Browser, PlayStation consoles beginning from the P ...
supports this as of version 528 (nightly build). Chromium-based
Microsoft Edge
Microsoft Edge is a proprietary, cross-platform web browser created by Microsoft. It was first released in 2015 as part of Windows 10 and Xbox One and later ported to other platforms as a fork of Google's Chromium open-source project: Android ...
support is similar to Chrome's.
*
X-WebKit-CSP
– deprecated, experimental header introduced into
Google Chrome,
Safari and other WebKit-based web browsers in 2011.
*
X-Content-Security-Policy
– deprecated, experimental header introduced in
Gecko 2 based browsers (Firefox 4 to Firefox 22, Thunderbird 3.3, SeaMonkey 2.1).
A website can declare multiple CSP headers, also mixing enforcement and report-only ones. Each header will be processed separately by the browser.
CSP can also be delivered within the HTML code using a
HTML META tag, although in this case its effectiveness will be limited.
Internet Explorer 10
Internet Explorer 10 (IE10) is the tenth, and by now, discontinued, version of the Internet Explorer web browser and the successor to Internet Explorer 9, released by Microsoft on September 4, 2012, shortly after the completion of Windows Serv ...
and
Internet Explorer 11
Internet Explorer 11 (IE11) is the eleventh, final, and now deprecated version of the Internet Explorer web browser. It was initially included in the release of Windows 8.1, Windows RT 8.1 and Windows Server 2012 R2 on October 17, 2013, and was ...
also support CSP, but only sandbox directive, using the experimental
X-Content-Security-Policy
header.
A number of web application frameworks support CSP, for example
AngularJS (natively) and
Django (middleware). Instructions for
Ruby on Rails
Ruby on Rails (simplified as Rails) is a server-side web application framework written in Ruby under the MIT License. Rails is a model–view–controller (MVC) framework, providing default structures for a database, a web service, and we ...
have been posted by
GitHub
GitHub, Inc. () is an Internet hosting service for software development and version control using Git. It provides the distributed version control of Git plus access control, bug tracking, software feature requests, task management, continu ...
. Web framework support is however only required if the CSP contents somehow depend on the web application's state—such as usage of the
nonce
origin. Otherwise, the CSP is rather static and can be delivered from
web application tiers above the application, for example on
load balancer
In computing, load balancing is the process of distributing a set of tasks over a set of resources (computing units), with the aim of making their overall processing more efficient. Load balancing can optimize the response time and avoid unevenl ...
or
web server.
a number of new browser security standards are being proposed by W3C, most of them complementary to CSP:
*
Subresource Integrity (SRI), to ensure only known, trusted resource files (typically
JavaScript
JavaScript (), often abbreviated as JS, is a programming language that is one of the core technologies of the World Wide Web, alongside HTML and CSS. As of 2022, 98% of websites use JavaScript on the client side for webpage behavior, of ...
,
CSS) are loaded from third-party servers (typically
CDN
CDN may refer to:
Places
* Canada (Canadian), a North American country
* , a neighborhood in Montreal, Quebec, Canada
Technology
* Content delivery network, on the Internet
* Change detection and notification, of Web pages
Transportation
* Can ...
s)
* Mixed Content, to clarify the intended browser's policy on pages loaded over
HTTPS
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is enc ...
and linking content over plaintext
HTTP
The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide We ...
* Upgrade Insecure Requests, hinting browsers on how to handle legacy links on pages migrated to
HTTPS
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is enc ...
* Credential Management, a unified
JavaScript
JavaScript (), often abbreviated as JS, is a programming language that is one of the core technologies of the World Wide Web, alongside HTML and CSS. As of 2022, 98% of websites use JavaScript on the client side for webpage behavior, of ...
API
An application programming interface (API) is a way for two or more computer programs to communicate with each other. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how ...
to access user's credentials to facilitate complex login schemes,
* Referrer Policy, CSP extension to hint the browser on generation of the
Referer
In HTTP, "" (a misspelling of Referrer) is an optional HTTP header field that identifies the address of the web page (i.e., the URI or IRI), from which the resource has been requested. By checking the referrer, the server providing the new web ...
headers.
Bypasses
In December 2015 and December 2016, a few methods of bypassing
'nonce'
allowlisting origins were published. In January 2016, another method was published, which leverages server-wide CSP allowlisting to exploit old and vulnerable versions of JavaScript libraries hosted at the same server (frequent case with CDN servers). In May 2017 one more method was published to bypass CSP using web application frameworks code.
Mode of operation
If the
Content-Security-Policy
header is present in the server response, a compliant client enforces the declarative allowlist policy. One example goal of a policy is a stricter execution mode for JavaScript in order to prevent certain cross-site scripting attacks. In practice this means that a number of features are disabled by default:
* Inline
JavaScript
JavaScript (), often abbreviated as JS, is a programming language that is one of the core technologies of the World Wide Web, alongside HTML and CSS. As of 2022, 98% of websites use JavaScript on the client side for webpage behavior, of ...
code
**
blocks,
**
DOM event handlers as HTML attributes (e.g.
onclick
)
** The
javascript:
links
* Inline
CSS statements
**
block
**
style
attributed to HTML elements
* Dynamic
JavaScript
JavaScript (), often abbreviated as JS, is a programming language that is one of the core technologies of the World Wide Web, alongside HTML and CSS. As of 2022, 98% of websites use JavaScript on the client side for webpage behavior, of ...
code evaluation
**
eval()
** string arguments for
setTimeout
and
setInterval
functions
**
new Function()
constructor
* Dynamic
CSS statements
**
CSSStyleSheet.insertRule()
method
While using CSP in a new application may be quite straightforward, especially with CSP-compatible
JavaScript
JavaScript (), often abbreviated as JS, is a programming language that is one of the core technologies of the World Wide Web, alongside HTML and CSS. As of 2022, 98% of websites use JavaScript on the client side for webpage behavior, of ...
framework, existing applications may require some refactoring—or relaxing the policy. Recommended coding practice for CSP-compatible web applications is to load code from external source files (
), parse
JSON instead of evaluating it and use
EventTarget.addEventListener()
to set event handlers.
Notes
Reporting
Any time a requested resource or script execution violates the policy, the browser will fire a
POST
Post or POST commonly refers to:
*Mail, the postal system, especially in Commonwealth of Nations countries
**An Post, the Irish national postal service
**Canada Post, Canadian postal service
**Deutsche Post, German postal service
**Iraqi Post, Ira ...
request to the value specified in
report-uri
or
report-to
containing details of the violation.
CSP reports are standard
JSON structures and can be captured either by application's own
API
An application programming interface (API) is a way for two or more computer programs to communicate with each other. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how ...
or public CSP report receivers.
In 2018 security researchers showed how to send false positive reports to the designated receiver specified in
report-uri
. This allows potential attackers to arbitrarily trigger those alarms and might render them less useful in case of a real attack. This behaviour is intended and cannot be fixed, as the browser (client) is sending the reports.
Browser add-ons and extensions exemption
According to the original CSP (1.0) Processing Model (2012–2013),
CSP should not interfere with the operation of browser add-ons or extensions installed by the user. This feature of CSP would have effectively allowed any add-on, extension, or
Bookmarklet
A bookmarklet is a bookmark stored in a web browser that contains JavaScript commands that add new features to the browser. They are stored as the URL of a bookmark in a web browser or as a hyperlink on a web page. Bookmarklets are usually smal ...
to inject script into web sites, regardless of the origin of that script, and thus be exempt from CSP policies.
However, this policy has since been modified (as of CSP 1.1) with the following wording. Note the use of the word "may" instead of the prior absolute "should (not)" wording:
Note: User agents may allow users to modify or bypass policy enforcement through user preferences, bookmarklets, third-party additions to the user agent, and other such mechanisms.
The absolute "should" wording was being used by browser users to request/demand adherence to the policy and have changes installed in popular browsers (Firefox, Chrome, Safari) to support it. This was particularly contentious when sites like Twitter and GitHub started using strong CSP policies, which 'broke' the use of Bookmarklets.
The
W3C
The World Wide Web Consortium (W3C) is the main international standards organization for the World Wide Web. Founded in 1994 and led by Tim Berners-Lee, the consortium is made up of member organizations that maintain full-time staff working to ...
Web Application Security Working Group considers such script to be part of the
Trusted Computing Base implemented by the browser; however, it has been argued to the working group by a representative of
Cox Communications that this exemption is a potential security hole that could be exploited by malicious or compromised add-ons or extensions.
See also
*
Same-origin policy
*
NoScript
NoScript (or NoScript Security Suite) is a free software extension for Mozilla Firefox, SeaMonkey, other Mozilla-based web browsers and Google Chrome, written and maintained by Giorgio Maone, an Italian software developer and member of the Mozi ...
– anti-XSS protection and Application Boundaries Enforcer (ABE), extension for
Firefox
Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current ...
*
HTTP Switchboard
HTTP Switchboard is a Chromium browser extension (which also works with other Chromium-based browsers such as Opera (from version 15) and the Yandex browser) that allows filtering of Hypertext Transfer Protocol (HTTP) requests based on the con ...
– user defined CSP rules, extension for
Google Chrome and
Opera
Opera is a form of theatre in which music is a fundamental component and dramatic roles are taken by singers. Such a "work" (the literal translation of the Italian word "opera") is typically a collaboration between a composer and a libr ...
*
HTTP Strict Transport Security
HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other ...
*
HTTP Public Key Pinning
References
{{Reflist, 30em
External links
Content Security Policy W3C Working DraftContent Security Policy (CSP)on
MDN Web Docs
MDN Web Docs, previously Mozilla Developer Network and formerly Mozilla Developer Center, is a documentation repository and learning resource for web developers. It was started by Mozilla in 2005 as a unified place for documentation about open web ...
Computer security standards
Hacking (computer security)
Hypertext Transfer Protocol headers
Web applications
Web security exploits