Content-Security-Policy (CSP) directives are in-depth controls, and the absence of those directives does not automatically make a website or service exploitable. However, when used, their presence indicates a company has a good cyber security posture.
Objectives
-
Application privilege limitation - The CSP uses the
form-action
directive to limit application privilege. -
Application privilege limitation - The CSP uses the
object-src
directives to limit application privilege. - Code Injection Prevention - This requires the website to be designed or refactored with CSP in mind. The user specifies explicit hosts for source-list directives and does not use the unsafe-inline or unsafe-eval keywords. This objective is not met if any of the source-list directives are improperly set or incomplete.
-
Reporting - The CSP specifies a reporting location through a reporting directive. If either the
report-to
orreport-uri
directive is present, the reporting objective is considered to be satisfied. -
Resource Embedding Prevention - The CSP uses frame-ancestors (or
X-Frame-Options
) to prevent resource embedding attacks.
Directives
Directive | Description |
---|---|
base-uri |
Defines a set of allowed URLs that can be used in the src attribute of an HTML base tag. |
connect-src |
Applies to XMLHttpRequest (AJAX), WebSocket, fetch(), <a ping> or EventSource. If not allowed, the browser emulates a 400 HTTP status code. |
default-src |
Defines the default policy for fetching resources, such as JavaScript, Images, CSS, Fonts, AJAX requests, Frames, and HTML5 Media. Not all directives fall back to default-src. |
font-src |
Defines valid sources of font resources (loaded via @font-face). |
form-action |
Restricts URLs that can be used as the target of form submissions. Satisfies the form-action-objective. |
frame-ancestors |
Prevents resource embedding attacks. Satisfies the resource-embedding-objective. |
frame-src |
Defines valid sources for loading frames. In CSP Level 2, this was deprecated in favor of the child-src directive. In CSP Level 3, it has been un-deprecated. If not present, it will continue to defer to child-src . |
img-src |
Defines valid sources of images. |
manifest-src |
Restricts the URLs that application manifests can be loaded. |
media-src |
Defines valid sources of audio and video, e.g., HTML5 <audio> and <video> elements. |
object-src |
Prevents fetching and executing plugin resources embedded using <object> , <embed> or <applet> tags. The most common example is Flash. |
report-to |
Instructs the user agent to store reporting endpoints for an origin. Satisfies the reporting-objective. |
report-uri [deprecated] |
A pointer that locates where violations of CSP are logged. Satisfies the reporting-objective. |
script-src |
Defines valid sources of JavaScript. |
script-src-attr |
Specifies valid sources for JavaScript inline event handlers. This includes only inline script event handlers like onclick, but not URLs loaded directly into <script> elements. |
script-src-elem |
Specifies valid sources for JavaScript <script> elements, but not inline script event handlers, like onclick. |
style-src |
Defines valid sources of stylesheets or CSS. |
style-src-attr |
Specifies valid sources for inline styles applied to individual DOM elements. |
style-src-elem |
Specifies valid sources for stylesheets <style> and <link> elements with rel="stylesheet" . |
worker-src |
Restricts the URLs that may be loaded as a Worker, SharedWorker, or ServiceWorker. |
Considerations
- CSP in HTML is considered only if:
- The HTML head element is an ancestor.
- The policy is inside a meta element, like so:
http-equiv="Content-Security-Policy"
This is case sensitive.
- The element has a content attribute.
- The directive is known.
- CSP defined in meta tags don’t support the following directives:
report-uri
frame-ancestors
sandbox
Checks
- The syntax of CSP directives is checked for correctness of the data, duplicate directives, and if optional/known directives are added.
- Multiple headers are allowed.
- Either the
X-Frame-Options
orframe-ancestors
directive should be present and correctly set. - Reporting should be present and there should be a directive for logging errors.
- There should already be an annotation indicating that the required header is missing. This is indicated if the CSP record is report only, which is a type of CSP record that has the specific Content-Security-Policy-Report-Only header instead of Content-Security-Policy.
-
April 24, 2024:
plugin-types
no longer recommended. -
December 6, 2021: Updated objectives; Updated details on
form-action
,frame-ancestors
,object-src
,report-to
, &report-uri
directives; Added additional source-list directives:base-uri
,connect-src
,default-src
,font-src
,frame-src
,img-src
,manifest-src
,media-src
,script-src
,style-src
, &worker-src
. - October 19, 2021: Linked to resources for proper header implementation.
Feedback
0 comments
Please sign in to leave a comment.