Espen Henriksen

Senioringeniør

Statens Kartverk

esphen_

esphen

What the CSP?!

A layman's introduction

Lightning talk

Sikkerhet kan være litt..

CSP

  • Content-Security-Policy

  • En header som sendes med svarene fra server
  • Kan ogse settes som meta tags i dokumentets <head>
  • Hjelper å stoppe XSS
  • Støttet i moderne nettlesere
  • Delvis støttet i IE11

Hva skal vi med CSP?

  • XSS: Cross site scripting
  • Best practice: Minste privilegiums prinsipp
  • Innebygget i nettleseren
    • Ingen "setup"
    • Bruker styrken til nettleseren

Direktiver

  • CSP består av en rekke direktiver
  • Hvert direktiv spesifiserer tillatte opprinnelsessteder
  • Hvis et direktiv ikke spesifiserer et sted som tillatt, så blir det blokkert av nettleseren (allow-listing)
  • Vanlig brukte verdier: 'self', 'unsafe-inline', hostnames

Directives

  • default-src
  • connect-src
  • font-src
  • frame-src
  • img-src
  • manifest-src
  • media-src
  • prefetch-src
  • script-src
  • style-src
  • webrtc-src
  • worker-src
  • base-uri
  • plugin-types
  • sandbox
  • disown-opener
  • form-action
  • frame-ancestors
  • navigate-to
  • block-all-mixed-content
  • require-sri-for
  • upgrade-insecure-requests

Sandbox

  • allow-downloads
  • allow-downloads-without-user-activation
  • allow-forms
  • allow-modals
  • allow-orientation-lock
  • allow-pointer-lock
  • allow-popups
  • allow-popups-to-escape-sandbox
  • allow-presentation
  • allow-same-origin
  • allow-scripts
  • allow-storage-access-by-user-activation
  • allow-top-navigation
  • allow-top-navigation-by-user-activation

Se også:

Feature Policies / Permission Policies

Hva hvis du gjør noe galt?!

  • Revert, revert!
  • report-uri / report-to reporting directives
  • report-uri lar nettlesere melde fra at en ressurs har blitt blokkert
  • Sentry og report-uri.com er populære tjenester for report-uri targets
  • "Report only"

Hvordan ser det ut?

Eksempel

// Allow current domain and trusted.com
Content-Security-Policy: default-src 'self' *.trusted.com

// Allow self and enable reporting
Content-Security-Policy: default-src 'self'; report-uri http://example.com/collector

// Only allow https
Content-Security-Policy: default-src https://example.com

Synlighet

CSP report

{
  "csp-report": {
	"document-uri": "https://www.websec.be/blog/digest-02/",
	"referrer": "https://www.websec.be/blog/",
	"violated-directive": "script-src 'self' https://ajax.googleapis.com/ajax/libs/webfont/1.5.18/webfont.js  https://www.google-analytics.com/ https://platform.twitter.com/ https://cdn.syndication.twimg.com https://syndication.twitter.com https://websec-be.disqus.com https://*.disquscdn.com",
	"effective-directive": "script-src",
	"original-policy": "default-src 'self'; script-src 'self' https://ajax.googleapis.com/ajax/libs/webfont/1.5.18/webfont.js  https://www.google-analytics.com/ https://platform.twitter.com/ https://cdn.syndication.twimg.com https://syndication.twitter.com https://websec-be.disqus.com https://*.disquscdn.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/ https://platform.twitter.com https://*.twimg.com https://*.disquscdn.com; img-src 'self' data: https://www.google-analytics.com/ https://syndication.twitter.com https://*.twimg.com https://platform.twitter.com https://referrer.disqus.com https://*.disquscdn.com; frame-src https://platform.twitter.com https://syndication.twitter.com https://disqus.com/ https://player.vimeo.com https://www.youtube.com; font-src 'self' https://fonts.gstatic.com; connect-src https://links.services.disqus.com; report-uri https://websec.report-uri.io/r/default/csp/enforce",
	"blocked-uri": "eval",
	"line-number": 1,
	"column-number": 1609,
	"source-file": "https://a.disquscdn.com",
	"status-code": 0
  }
}

Fin

https://slides.com/esphen/csp-lightning-talk

Made with Slides.com