Table of Contents | ||||||
---|---|---|---|---|---|---|
|
Background
Content Security Policy (CSP) is an important standard by the W3C that is aimed to prevent a broad range of content injection attacks such as cross-site scripting (XSS). It is an effective "defense in depth" technique to be used against content injection attacks. It is a declarative policy that informs the user agent what are valid sources to load from. Since, it was introduced in Firefox version 4 by Mozilla, it has been adopted as a standard, and grown in adoption and capabilities. [OWASP-CSP-CS]
Headers
Content-Security-Policy
Response header that is expected in each every HTTP response back from the server. The supported "Directives" in the header are enforced by the web browser and any violations are prevented.
...
Violations of any "Directive" included in this header are non-blocking and reported back to the URL designated by the report-uri directive. This allows gradual rollout of new policies before enforcing them in blocking mode in the CSP header.
Directives
...
See Content Security Policy Reference Guide for latest browser support information.
CSP 1.0 (supported in all major browsers)
...
- [CSP] Content Security Policy Reference Guide (with latest browser support information)
- [OWASP-CSP-CS] OWASP Cheat Sheet on Content Security Policy
- [W3C-CSP] W3C working draft of Content Security Policy Level 3
- [CSP-INTRO-1] Content Security Policy - An Introduction
- [CSP-INTRO-2] Introduction to Content Security Policy