Anti-spam team, Confirmed users
99
edits
Security/Guidelines/Web Security: Difference between revisions
Jump to navigation
Jump to search
Security/Guidelines/Web Security (view source)
Revision as of 15:15, 13 October 2016
, 13 October 2016updates to CSP
m (→X-Content-Type-Options: add version of firefox that includes support for this feature) |
(updates to CSP) |
||
| Line 330: | Line 330: | ||
* Aiming for <tt>default-src: https:</tt> is a great first goal, as it disables inline code and requires https. | * Aiming for <tt>default-src: https:</tt> is a great first goal, as it disables inline code and requires https. | ||
* For existing websites with large codebases that would require too much work to disable inline scripts, <tt>default-src: https: 'unsafe-inline'</tt> is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection. | * For existing websites with large codebases that would require too much work to disable inline scripts, <tt>default-src: https: 'unsafe-inline'</tt> is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection. | ||
* | * It recommended to start with a reasonably locked down policy such as <tt>default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'</tt> and then add in sources as revealed during testing. | ||
* In lieu of the preferred HTTP header, pages can instead include a <tt><meta http-equiv="Content-Security-Policy" content="…"></tt> tag. If they do, it should be the first <tt><meta></tt> tag that appears inside <tt><head></tt>. | * In lieu of the preferred HTTP header, pages can instead include a <tt><meta http-equiv="Content-Security-Policy" content="…"></tt> tag. If they do, it should be the first <tt><meta></tt> tag that appears inside <tt><head></tt>. | ||
* Care needs to be taken with <tt> | * Care needs to be taken with <tt>data:</tt> URIs, as these as unsafe inside <tt>script-src</tt> (or inherited from <tt>default-src</tt>). | ||
* Similarly, the use of <tt>script-src 'self'</tt> can be unsafe for sites with JSONP endpoints. These sites should use a <tt>script-src</tt> that includes the path to their JavaScript source folder(s). | |||
* Unless sites need the ability to execute plugins such as Flash or Silverlight, they should disable their execution with <tt>object-src 'none'</tt>. | |||
* Sites should ideally use the <tt>report-uri</tt> directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly. | * Sites should ideally use the <tt>report-uri</tt> directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly. | ||
* Prior to implementation, it is recommended to use the <tt>Content-Security-Policy-Report-Only</tt> HTTP header, to see if any violations would have occured with that policy. | * Prior to implementation, it is recommended to use the <tt>Content-Security-Policy-Report-Only</tt> HTTP header, to see if any violations would have occured with that policy. | ||
| Line 338: | Line 340: | ||
== Examples == | == Examples == | ||
<pre># Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https | <pre># Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https | ||
# Note that this does not provide any XSS protection | |||
Content-Security-Policy: default-src https:</pre> | Content-Security-Policy: default-src https:</pre> | ||
| Line 344: | Line 347: | ||
<meta http-equiv="Content-Security-Policy" content="default-src https:"></pre> | <meta http-equiv="Content-Security-Policy" content="default-src https:"></pre> | ||
<pre># Disable the use of unsafe inline/eval, allow everything else | <pre># Disable the use of unsafe inline/eval, allow everything else plugin execution | ||
Content-Security-Policy: *</pre> | Content-Security-Policy: default-src *; object-src 'none'</pre> | ||
<pre># Disable unsafe inline/eval, only load resources from same origin | <pre># Disable unsafe inline/eval, only load resources from same origin except also allow images from imgur | ||
Content-Security-Policy: default-src 'self'; img-src 'self' https://i.imgur.com</pre> | # Also disables the execution of plugins | ||
Content-Security-Policy: default-src 'self'; img-src 'self' https://i.imgur.com; object-src 'none'</pre> | |||
<pre># Disable unsafe inline/eval, only load | <pre># Disable unsafe inline/eval, only load scripts and stylesheets from same origin, fonts from google, and images from | ||
Content-Security-Policy: default-src ' | # same origin and imgur. Sites should aim for policies like this. | ||
Content-Security-Policy: default-src 'none'; font-src 'https://fonts.googleapis.com'; | |||
img-src 'self' https://i.imgur.com; object-src 'none'; script-src 'self'; style-src 'self'</pre> | |||
<pre># Pre-existing site uses too much inline code to fix, but wants to ensure resources are loaded only over https | <pre># Pre-existing site uses too much inline code to fix, | ||
Content-Security-Policy: default-src https: 'unsafe-eval' 'unsafe-inline'</pre> | # but wants to ensure resources are loaded only over https and disable plugins | ||
Content-Security-Policy: default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'</pre> | |||
<pre># Don't implement the above policy yet; instead just report violations that would have occured | <pre># Don't implement the above policy yet; instead just report violations that would have occured | ||
| Line 659: | Line 666: | ||
! scope="col" style="width: 6em;" | Editor | ! scope="col" style="width: 6em;" | Editor | ||
! Changes | ! Changes | ||
|- | |||
| style="padding-left: .5em; text-align: left;" | October, 2016 | |||
| align="center" | April | |||
| style="padding-left: .5em;" | Updates to CSP recommendations | |||
|- | |- | ||
| style="padding-left: .5em; text-align: left;" | July, 2016 | | style="padding-left: .5em; text-align: left;" | July, 2016 | ||