Espen Henriksen
Senioringeniør
Statens Kartverk
esphen_
esphen
What the CSP?!
A layman's introduction
Lightning talk
Sikkerhet kan være litt..
CSP
-
Content-Security-Policy
- En header som sendes med svarene fra server
- Kan ogse settes som meta tags i dokumentets <head>
- Hjelper å stoppe XSS
- Støttet i moderne nettlesere
- Delvis støttet i IE11
Hva skal vi med CSP?
- XSS: Cross site scripting
- Best practice: Minste privilegiums prinsipp
- Innebygget i nettleseren
- Ingen "setup"
- Bruker styrken til nettleseren
Direktiver
- CSP består av en rekke direktiver
- Hvert direktiv spesifiserer tillatte opprinnelsessteder
- Hvis et direktiv ikke spesifiserer et sted som tillatt, så blir det blokkert av nettleseren (allow-listing)
- Vanlig brukte verdier: 'self', 'unsafe-inline', hostnames
Directives
- default-src
- connect-src
- font-src
- frame-src
- img-src
- manifest-src
- media-src
- prefetch-src
- script-src
- style-src
- webrtc-src
- worker-src
- base-uri
- plugin-types
- sandbox
- disown-opener
- form-action
- frame-ancestors
- navigate-to
- block-all-mixed-content
- require-sri-for
- upgrade-insecure-requests
Sandbox
- allow-downloads
- allow-downloads-without-user-activation
- allow-forms
- allow-modals
- allow-orientation-lock
- allow-pointer-lock
- allow-popups
- allow-popups-to-escape-sandbox
- allow-presentation
- allow-same-origin
- allow-scripts
- allow-storage-access-by-user-activation
- allow-top-navigation
- allow-top-navigation-by-user-activation
Se også:
Feature Policies / Permission Policies
Hva hvis du gjør noe galt?!
- Revert, revert!
- report-uri / report-to reporting directives
- report-uri lar nettlesere melde fra at en ressurs har blitt blokkert
- Sentry og report-uri.com er populære tjenester for report-uri targets
- "Report only"
Hvordan ser det ut?
Eksempel
// Allow current domain and trusted.com
Content-Security-Policy: default-src 'self' *.trusted.com
// Allow self and enable reporting
Content-Security-Policy: default-src 'self'; report-uri http://example.com/collector
// Only allow https
Content-Security-Policy: default-src https://example.com
Synlighet
CSP report
{
"csp-report": {
"document-uri": "https://www.websec.be/blog/digest-02/",
"referrer": "https://www.websec.be/blog/",
"violated-directive": "script-src 'self' https://ajax.googleapis.com/ajax/libs/webfont/1.5.18/webfont.js https://www.google-analytics.com/ https://platform.twitter.com/ https://cdn.syndication.twimg.com https://syndication.twitter.com https://websec-be.disqus.com https://*.disquscdn.com",
"effective-directive": "script-src",
"original-policy": "default-src 'self'; script-src 'self' https://ajax.googleapis.com/ajax/libs/webfont/1.5.18/webfont.js https://www.google-analytics.com/ https://platform.twitter.com/ https://cdn.syndication.twimg.com https://syndication.twitter.com https://websec-be.disqus.com https://*.disquscdn.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/ https://platform.twitter.com https://*.twimg.com https://*.disquscdn.com; img-src 'self' data: https://www.google-analytics.com/ https://syndication.twitter.com https://*.twimg.com https://platform.twitter.com https://referrer.disqus.com https://*.disquscdn.com; frame-src https://platform.twitter.com https://syndication.twitter.com https://disqus.com/ https://player.vimeo.com https://www.youtube.com; font-src 'self' https://fonts.gstatic.com; connect-src https://links.services.disqus.com; report-uri https://websec.report-uri.io/r/default/csp/enforce",
"blocked-uri": "eval",
"line-number": 1,
"column-number": 1609,
"source-file": "https://a.disquscdn.com",
"status-code": 0
}
}
Fin
https://slides.com/esphen/csp-lightning-talk
What the CSP?! - Kartverket
By Eline H
What the CSP?! - Kartverket
- 21