Anti-spam team, Confirmed users
99
edits
User:Apking/Web Security Guidelines: Difference between revisions
User:Apking/Web Security Guidelines (view source)
Revision as of 22:20, 5 January 2016
, 5 January 2016formatting
(fix typo) |
(formatting) |
||
| Line 133: | Line 133: | ||
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site. | The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site. | ||
Note that disabling inline JavaScript means that <em>all</em> JavaScript must be loaded from <script> src tags . Event handlers such as <em>onclick</em> used directly on a tag will fail to work, as will JavaScript inside <script> tags but not loaded via src. Furthermore, inline stylesheets using either <style> tags or the style attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement. | Note that disabling inline JavaScript means that <em>all</em> JavaScript must be loaded from <tt><script></tt> src tags . Event handlers such as <em>onclick</em> used directly on a tag will fail to work, as will JavaScript inside <tt><script></tt> tags but not loaded via src. Furthermore, inline stylesheets using either <tt><style></tt> tags or the style attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement. | ||
== Implementation Notes == | == Implementation Notes == | ||