Content Security Policy

Recently, Nick discussed how cross-site scripting (XSS) is one of the major areas of concern for Web application security and showed us how to avoid attacks from a coding perspective. Now, Mozilla Security has proposed a new defense against XSS called Content Security Policy (CSP).

CSP provides an extra layer of security by allowing the Web server to specify valid sources for scripts. Browsers that support CSP would disallow the execution of scripts originating from domains that are not listed in the X-Content-Security-Policy HTTP header or META tag.

The proposal also provides the ability to block requests for images and other media from untrusted sources, and it protects against clickjacking by allowing trusted frame sources to be specified.

Finally, CSP reports policy violations. If a report URI is given, the browser will send an XML report with the HTTP request, headers, and the URI of the blocked resource.

Of course, it will still be important for programmers to develop Web applications using good security practices, but if CSP is implemented, it will make it much more difficult to take advantage of mistakes.

Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!