Background

Content Security Policy (CSP) is an important standard by the W3C that is aimed to prevent a broad range of content injection attacks such as cross-site scripting (XSS).  It is an effective "defense in depth" technique to be used against content injection attacks.  It is a declarative policy that informs the user agent what are valid sources to load from.  Since, it was introduced in Firefox version 4 by Mozilla, it has been adopted as a standard, and grown in adoption and capabilities. ^{[OWASP-CSP-CS]}

Headers

Content-Security-Policy

Response header that is expected in each HTTP response back from the server.  The supported "Directives" in the header are enforced by the web browser and any violations are prevented.

Content-Security-Policy-Report-Only

Violations of any "Directive" included in this header are non-blocking and reported back to the URL designated by the report-uri directive. This allows gradual rollout of new policies before enforcing them in blocking mode in the CSP header.

Directives

See Content Security Policy Reference Guide for latest browser support information.

CSP 1.0 (supported in all major browsers)

• connect-src (d) - restricts which URLs the protected resource can load using script interfaces. (e.g. send() method of an XMLHttpRequest object)
• font-src (d) - restricts from where the protected resource can load fonts
• img-src (d) - restricts from where the protected resource can load images
• media-src (d) - restricts from where the protected resource can load video, audio, and associated text tracks
• object-src (d) - restricts from where the protected resource can load plugins
• script-src (d) - restricts which scripts the protected resource can execute. Additional restrictions against, inline scripts, and eval. Additional directives in CSP2 for hash and nonce support
• style-src (d) - restricts which styles the user may applies to the protected resource. Additional restrictions against inline and eval.
• default-src - Covers any directive with (d)
• report-uri - specifies a URL to which the user agent sends reports about policy violation
• sandbox - specifies an HTML sandbox policy that the user agent applies to the protected resource. Optional in 1.0

New in CSP2 (not fully supported yet)

• form-action - retricts which URLs can be used as the action of HTML form elements
• frame-ancestors - indicates whether the user agent should allow embedding the resource using a frame, iframe, object, embed or applet element, or equivalent functionality in non-HTML resources
• plugin-types - restricts the set of plugins that can be invoked by the protected resource by limiting the types of resources that can be embedded
• base-uri - restricts the URLs that can be used to specify the document base URL
• child-src (d) - governs the creation of nested browsing contexts as well as Worker execution contexts

Implementation

Native support for CSP in django is still being discussed.

Available implementations:

• https://github.com/mozilla/django-csp, http://django-csp.readthedocs.io/en/latest/
• https://github.com/sdelements/django-security, http://django-security.readthedocs.io/en/latest/

Options for reporting endpoint:

• Endpoint that emits to Segment or Splunk?
• Kenesis or some other AWS service to receive the report and put in an S3 bucket.
  • Can then use Athena to parse the reports.

References

• [CSP] Content Security Policy Reference Guide (with latest browser support information)
• [OWASP-CSP-CS] OWASP Cheat Sheet on Content Security Policy
• [W3C-CSP] W3C working draft of Content Security Policy Level 3
• [CSP-INTRO-1] Content Security Policy - An Introduction
• [CSP-INTRO-2] Introduction to Content Security Policy