Security Performance Management
Continuous Monitoring
Cyber Insurance
National Cybersecurity

Articles in this section

See more

What Content-Security-Policy (CSP) Directives are Assessed?

Avatar
Ingrid
Follow
  • December 6, 2021: Updated objectives; Updated details on form-action, frame-ancestors, object-src, report-to, & report-uri directives; Added additional source-list directives: base-uri, connect-src, default-src, font-src, frame-src, img-src, manifest-src, media-src, script-src, style-src, & worker-src.
  • October 19, 2021: Linked to resources for proper header implementation.
  • February 10, 2020: Published.

Content-Security-Policy (CSP) directives are in-depth controls, and the absence of those directives does not automatically make a website or service exploitable. However, when used, their presence indicates a company has a good cyber security posture.

Objectives

  • Application privilege limitation - The CSP uses the form-action directive to limit application privilege.
  • Application privilege limitation - The CSP uses the plugin-types or object-src directives to limit application privilege.
  • Code Injection Prevention - This requires the website to be designed or refactored with CSP in mind. The user specifies explicit hosts for source-list directives and does not use the unsafe-inline or unsafe-eval keywords. This objective is not met if any of the source-list directives are improperly set or incomplete.
  • Reporting - The CSP specifies a reporting location through a reporting directive. If either the report-to or report-uri directive is present, the reporting objective is considered to be satisfied.
  • Resource Embedding Prevention - The CSP uses frame-ancestors (or X-Frame-Options) to prevent resource embedding attacks.

Directives

Directive Description
base-uri Defines a set of allowed URLs that can be used in the src attribute of an HTML base tag.
connect-src Applies to XMLHttpRequest (AJAX), WebSocket, fetch(), <a ping> or EventSource. If not allowed, the browser emulates a 400 HTTP status code.
default-src Defines the default policy for fetching resources, such as JavaScript, Images, CSS, Fonts, AJAX requests, Frames, and HTML5 Media. Not all directives fall back to default-src.
font-src Defines valid sources of font resources (loaded via @font-face).
form-action Restricts URLs that can be used as the target of form submissions. Satisfies the form-action-objective.
frame-ancestors Prevents resource embedding attacks. Satisfies the resource-embedding-objective.
frame-src Defines valid sources for loading frames. In CSP Level 2, this was deprecated in favor of the child-src directive. In CSP Level 3, it has been un-deprecated. If not present, it will continue to defer to child-src.
img-src Defines valid sources of images.
manifest-src Restricts the URLs that application manifests can be loaded.
media-src Defines valid sources of audio and video, e.g., HTML5 <audio> and <video> elements.
object-src Prevents fetching and executing plugin resources embedded using <object>, <embed> or <applet> tags. The most common example is Flash. This directive satisfies the plugin-types-objective.
plugin-types [deprecated] Restricts the set of plugins that can be embedded into a document by limiting the types of resources that can be loaded. Since this is deprecated, we recommend using object-src: "none" to address this.
report-to Instructs the user agent to store reporting endpoints for an origin. Satisfies the reporting-objective.
report-uri
[deprecated]		 A pointer that locates where violations of CSP are logged. Satisfies the reporting-objective.
script-src Defines valid sources of JavaScript.
script-src-attr Specifies valid sources for JavaScript inline event handlers. This includes only inline script event handlers like onclick, but not URLs loaded directly into <script> elements.
script-src-elem Specifies valid sources for JavaScript <script> elements, but not inline script event handlers, like onclick.
style-src Defines valid sources of stylesheets or CSS.
style-src-attr Specifies valid sources for inline styles applied to individual DOM elements.
style-src-elem Specifies valid sources for stylesheets <style> and <link> elements with rel="stylesheet".
worker-src Restricts the URLs that may be loaded as a Worker, SharedWorker, or ServiceWorker.

Considerations

  • CSP in HTML is considered only if:
    • The HTML head element is an ancestor.
    • The policy is inside a meta element, like so: 
      http-equiv="Content-Security-Policy"

      This is case sensitive.

    • The element has a content attribute.
    • The directive is known.
  • CSP defined in meta tags don’t support the following directives:
    • report-uri
    • frame-ancestors
    • sandbox

Checks

  • The syntax of CSP directives is checked for correctness of the data, duplicate directives, and if optional/known directives are added.
  • Multiple headers are allowed.
  • Either the X-Frame-Options or frame-ancestors directive should be present and correctly set.
  • Reporting should be present and there should be a directive for logging errors.
  • There should already be an annotation indicating that the required header is missing. This is indicated if the CSP record is report only, which is a type of CSP record that has the specific Content-Security-Policy-Report-Only header instead of Content-Security-Policy.

Related articles