Active Members Fi8sVrs Posted September 23, 2013 Active Members Report Posted September 23, 2013 CSP Is AwesomeContent Security Policy Header GeneratorWhat is Content-Security-Policy?At its core, the Content Security Policy header allows you to define where your web pages are allowed to load content from.A mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS)Oh, and it’s awesome.So why the different headers?Since the spec is still a draft. Firefox is using X-Content-Security-Policy and Webkit (Chrome, Safari) are using X-WebKit-CSP. Once the spec is locked down they’ll move to a canonical header.What does it look like?Here are some examples borrowed directly from the Working Draft 1.0 documentExample 1: A server wishes to load resources only form its own origin:Content-Security-Policy: default-src 'self'Example 2: An auction site wishes to load images from any URI, plugin content from a list of trusted media providers (including a content distribution network), and scripts only from a server under its control hosting sanitized ECMAScript:Content-Security-Policy: default-src 'self'; img-src *; object-src media1.example.com media2.example.com *.cdn.example.com; script-src trustedscripts.example.comExample 3: Online banking site wishes to ensure that all of the content in its pages is loaded over TLS to prevent attackers from eavesdropping on insecure content requests:Content-Security-Policy: default-src https: 'unsafe-inline' 'unsafe-eval'More informationhttps://rstforums.com/forum/69690-user-interface-security-directives-content-security-policy.rstContent Security Policy Header Generator Quote
