What is Content Security Policy?

Content Security Policy (CSP) is a security framework that allows website owners to have granular control over where resources are loaded. The original goal was a comprehensive way to mitigate the impact of common web vulnerabilities like XSRF and XSS as well as perform content policy tasks. Since it was first proposed, CSP has evolved and the scope has changed in a few different ways.

Where to specify CSP

The policies can be encoded in an HTTP header, embedded in the document itself using a tag, or hosted at an external URL (using policy-uri).

How to define CSP

A policy can be defined by stating a directive followed by the allowed origin(s). The origin can be a wildcard expression that match multiple hosts, protocols or ports.

 X-Content-Security-Policy: default-src 'none'; img-src http://*.example.com

There are three special keywords that can be used in place of a URL:

  • none - an empty set
  • self - the origin of the current page that has the policy
  • data: - all inline data: URLs

What are the behaviors that can be controlled with CSP?

  • Script execution (script-src) - This directive can be used to limit scripts loaded on a page to ones hosted in one of the approved origins. This is super useful in limiting the impact of XSS vulnerabilities.

  • Stylesheets/fonts (style-src) - An attacker can use injected stylesheets to change the way a page looks and behaves, or worse - send sensitive info to a 3rd party server. Use this directive to allow only specified stylesheets as well as prevent inline style blocks.

  • Plugins (object-src) - Prevents Flash or Java plug-ins from having unconstrained access to the page.

  • Multimedia (img-src, media-src) - Controls the ability to embed picture or video content from bad places.

  • Iframes (frame-src) - You can use this directive to allow only certain destinations such as youtube.com to be framed within the page.

Considerations

There are some things to consider when using CSP. One is that there is a performance penalty in moving inline scripts and stylesheets to a separate document. Every additional HTTP request will in turn create a new TCP connection, which is expensive. This is needed to benefit from the XSS protection given by the framework. Implementing Content security policy for existing websites can also be complex - however, it is definitely recommended for all new sites and applications.

Another consideration is that CSP prevents websites from loading malicious scripts, but it does not prevent an attacker from putting the application into an inconsistent state. A bad actor can still call arbitrary existing functions in the client side code from the CSP-permitted origin or load scripts in an incorrect sequence/wrong context therefore putting the app in an unstable state.

Overall, Content security policy is nice as part of a defense in depth approach. When comparing CSP to other proposed browser security features, it is relatively sensible and consistent.

Sources