Wednesday, April 24, 2013

Content Security Policy

I had not heard of this before a couple of days. I was trying to run something from the firebug console on github and it gave me an error of this kind.


Nothing ran. And even more confusingly, similar errors were thrown on page load. 

It seems like CSP is a great advancement in reducing the number of XSS (Cross Side Scripting) attacks.   By adding a header to the response, we add a list of white listed sites where the scripts are allowed to run and the rest encounter errors similar to the one seen before. Naice


For Chrome,
The header is X-WebKit-CSP
And the value looks like "default-src 'self'; img-src *; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri /Home/Report"

For Firefox,
The header is X-Content-Security-Policy
And the value looks like "default-src 'self'; img-src *; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri /Home/Report"

No comments: