What Content-Security-Policy (CSP) Directives are Assessed? Ingrid Content-Security-Policy (CSP) directives are in-depth controls, and the absence of those directives does not automatically make a website or service exploitable. However, when used, their presence indicates a company has a good cyber security posture. Objectives Directives Considerations Checks Objectives Application privilege limitation - The CSP uses the form-action directive to limit application privilege. Application privilege limitation - The CSP uses the object-src directives to limit application privilege. Code Injection Prevention - This requires the website to be designed or refactored with CSP in mind. The user specifies explicit hosts for source-list directives and does not use the unsafe-inline or unsafe-eval keywords. This objective is not met if any of the source-list directives are improperly set or incomplete. Reporting - The CSP specifies a reporting location through a reporting directive. If either the report-to or report-uri directive is present, the reporting objective is considered to be satisfied. Resource Embedding Prevention - The CSP uses frame-ancestors (or X-Frame-Options) to prevent resource embedding attacks. Directives Directive Description base-uri Defines a set of allowed URLs that can be used in the src attribute of an HTML base tag. connect-src Applies to XMLHttpRequest (AJAX), WebSocket, fetch(), <a ping> or EventSource. If not allowed, the browser emulates a 400 HTTP status code. default-src Defines the default policy for fetching resources, such as JavaScript, Images, CSS, Fonts, AJAX requests, Frames, and HTML5 Media. Not all directives fall back to default-src. font-src Defines valid sources of font resources (loaded via @font-face). form-action Restricts URLs that can be used as the target of form submissions. Satisfies the form-action-objective. frame-ancestors Prevents resource embedding attacks. Satisfies the resource-embedding-objective. frame-src Defines valid sources for loading frames. In CSP Level 2, this was deprecated in favor of the child-src directive. In CSP Level 3, it has been un-deprecated. If not present, it will continue to defer to child-src. img-src Defines valid sources of images. manifest-src Restricts the URLs that application manifests can be loaded. media-src Defines valid sources of audio and video, e.g., HTML5 <audio> and <video> elements. object-src Prevents fetching and executing plugin resources embedded using <object>, <embed> or <applet> tags. The most common example is Flash. report-to Instructs the user agent to store reporting endpoints for an origin. Satisfies the reporting-objective. report-uri[deprecated] A pointer that locates where violations of CSP are logged. Satisfies the reporting-objective. script-src Defines valid sources of JavaScript. script-src-attr Specifies valid sources for JavaScript inline event handlers. This includes only inline script event handlers like onclick, but not URLs loaded directly into <script> elements. script-src-elem Specifies valid sources for JavaScript <script> elements, but not inline script event handlers, like onclick. style-src Defines valid sources of stylesheets or CSS. style-src-attr Specifies valid sources for inline styles applied to individual DOM elements. style-src-elem Specifies valid sources for stylesheets <style> and <link> elements with rel="stylesheet". worker-src Restricts the URLs that may be loaded as a Worker, SharedWorker, or ServiceWorker. Considerations CSP in HTML is considered only if: The HTML head element is an ancestor. The policy is inside a meta element, like so: http-equiv="Content-Security-Policy" This is case sensitive. The element has a content attribute. The directive is known. CSP defined in meta tags don’t support the following directives: report-uri frame-ancestors sandbox Checks The syntax of CSP directives is checked for correctness of the data, duplicate directives, and if optional/known directives are added. Multiple headers are allowed. Either the X-Frame-Options or frame-ancestors directive should be present and correctly set. Reporting should be present and there should be a directive for logging errors. There should already be an annotation indicating that the required header is missing. This is indicated if the CSP record is report only, which is a type of CSP record that has the specific Content-Security-Policy-Report-Only header instead of Content-Security-Policy. April 24, 2024: plugin-types no longer recommended. December 6, 2021: Updated objectives; Updated details on form-action, frame-ancestors, object-src, report-to, & report-uri directives; Added additional source-list directives: base-uri, connect-src, default-src, font-src, frame-src, img-src, manifest-src, media-src, script-src, style-src, & worker-src. October 19, 2021: Linked to resources for proper header implementation. Related articles How is the Web Application Headers Risk Vector Assessed? What is Content-Security-Policy (CSP)? Goals of Content-Security-Policy (CSP) Web Application Header Finding Grades TLS/SSL Finding Remediation & Remediation Verification Feedback 0 comments Please sign in to leave a comment.