Security/CSP/Design Considerations: Difference between revisions

← Older edit

Security/CSP/Design Considerations (view source)

Revision as of 21:22, 8 March 2010

2,004 bytes added , 8 March 2010

→‎Content Restrictions

Sidstamm

canmove, Confirmed users

1,537

edits

@@ Line 4: / Line 4: @@
 [[Security/CSP|Content Security Policy]] is intended to help web designers or server administrators specify how content interacts on their web sites. It helps mitigate and detect types of attacks such as XSS and data injection. CSP is not intended to be a main line of defense, but rather one of the many layers of security that can be employed to help secure a web site. More information about the intended use of CSP is available in the [[#goals|goals]] section.
-= Content Restrictions =
+= Goals =
-The main goal of Content Security Policy is to prevent malicious code from being injected into a website and executed within the context of that site. Hence, a recurring theme in CSP is to prevent the creation of script code from potentially tainted strings. It should be made clear that it is not the intent of CSP to prevent navigation to arbitrary sites, but rather to restrict the types of script, media, and other resources that may be used on a web page.
+Content Security Policy is intended to mitigate a large class of Web Application Vulnerabilities: Cross Site Scripting. Cross Site Request Forgery has also become a large scale problem in Web Application Security, though it is not a primary focus of Content Security Policy.
+== Content Restrictions ==
+The main goal of Content Security Policy is to prevent malicious code from being injected into a website and executed within the context of that site. Hence, a recurring theme in CSP is to prevent the creation of script code from potentially tainted strings. It should be made clear that it is not the intent of CSP to prevent navigation to arbitrary sites, but rather to restrict the types of script, media, and other resources that may be used on a web page.
+== Mitigate Cross Site Scripting (XSS) ==
+There are [http://www.cgisecurity.com/articles/xss-faq.shtml many] [http://ha.ckers.org/xss.html good] [http://www.owasp.org/index.php/Cross_Site_Scripting references] for those needing to familiarize themselves with XSS and the associated risks.
+XSS exploits the client's trust of the content received from the server. Malicious script is executed by the victim's browser because the victim trusts the source of the content. Content Security Policy provides a way for server administrators to reduce or eliminate their XSS attack surface:
+# Website administrators specify which domains the browser should treat as valid sources of script.
+# The browser will only execute script in source files from the white-listed domains and will disregard everything else, including inline scripts and event-handling HTML attributes.
+#* Note: [[Security/CSP/Spec#event-hendling|event-handling]] is still enabled in CSP without using HTML attributes.
+# Sites that never want to have JavaScript included in their pages can choose to globally disallow script.
+== Mitigate Clickjacking ==
+A secondary goal of CSP is to help mitigate clickjacking.
+[http://jeremiahgrossman.blogspot.com/2008/10/clickjacking-web-pages-can-see-and-hear.html Good] [http://ha.ckers.org/blog/20080915/clickjacking/ references] are available which describe the threat and impact of clickjacking.
+Clickjacking occurs when a malicious site directs a victim's mouse click onto an unintended target in another site, generally by framing the target site's content in a transparent <iframe>.
+Content Security Policy enables a site to specify [[Security/CSP/Spec#frame-ancestors|which sites may embed a resource]].
 = Base Restrictions (and XSS protection)=