The Days of XSS are Numbered: Content Security Policy Draft 1.1 Released

Posted on June 07, 2013 by Dave

A working draft of version 1.1 of the Content Security Policy (CSP) was released on Tuesday (04/06/13). For those of you that don’t know, the CSP attempts to eliminate Cross-Site Scripting (XSS) by preventing the execution of all inline scripts, i.e.:

 

<script>alert(1)</script>

and event handlers, i.e.:

 

<img src="xss.png" onerror=alert(1)/>

When using the policy, all JavaScript must be placed in separate script files and called from a trusted domain. As a result, if you try to inject JavaScript into a website running the CSP, it will fail as it will be viewed as an inline script and so be rejected by the website, producing an error.

 
In the current implementation, you specify via a HTTP header where scripts can be loaded from; for example, specifying:
Content-Security-Policy: script-src example.com
Will ensure that only scripts located on example.com will be run by the application. There are a number of other directives, such as: img-src, object-src, media-src, font-src, etc.
 

It’s slowly being implemented places (Twitter have done so over the past two years) and all modern day browsers now support it.

 

The latest 1.1 version features some experimental new additions to the policy, such as being able to set the CSP via meta tags in a page header rather than HTTP headers, allowing you to specify trusted domains on a per page basis. There’ll also be some new directives, such as form-action, which will restrict what URIs can be used as the actions of HTML form elements.

 

Cross-Site Scripting as we know it will be no more soon!

 

For an excellent write up on the CSP, see here.

 

Leave a Reply