Page 1
Content Security
Policyfeaturing ember.js
Page 2
WHOAMIRyan LaBouve (@ryanlabouve)
Page 6
Thinking about a new side-project
Page 7
Fire up `ember new`
Page 8
(wait on NPM and Bower)
Page 10
Sparkling new project!
Page 12
ENTER CSPContent-Security-Policy: ‘take-that.xss’
Page 13
What is Content Security Policy?
Page 14
XSS Mitigation Strategy
using a whitelist based approach.
Page 15
What is XSS?people trying to execute malicious (usually?)
javascripts on your page.
Page 16
How CSP helps?deliver policy via http header with
information about what is allowed to execute on your site.
Page 17
When we request a webpage, we get a response that has a header and a body
CSP in the wild
Page 18
Response body (has the html/css/js)
Page 19
Response Header has (various meta-data)
Page 21
How to implement and customize CSP
Page 22
Series of Directives
Page 23
default-src script-src*** object-src style-src img-src media-src frame-src font-src
connect-src (script-src key directive for blocking
scripting)
Page 24
Each attached to HTML elements
Page 25
script-src <script>
object-src <object>, <embed>
style-src <link rel=“stylesheet”>, <style>
img-src <img>, images in css
media-src <audio>, <video>
frame-src <iframe>, <frame>
font-src @font-face
connect-src XMLHttpRequest, JS APIs
Page 26
self none *
unsafe-inline unsafe-eval
example.url.com
Values to Describe Policy
Page 27
Space delimited sources to match http header syntax
semi colon end of line
About the Values
Page 28
selfAnything you’re including locally
Page 29
unsafe-inlineAnything happening by your content
Better to “separate code and data”This includes inline event handlers
Page 30
unsafe-eval
setTimeouteval
not as big a deal as unsafe inline
Page 31
Custom TemplatesNot executing. No problem.
Page 32
Other Values
*— Anything Goes
none— Nothing Goes
url— can specify ports, protocols, wildcards, etc
http://content-security-policy.com/
Page 33
A few quick examples:
Page 34
Serve nothing at all
Page 35
Serve everything ever
Page 36
Only serve local assets … a good starting spot
Page 37
Build up slowly as needed
Page 38
Focus on script-src …especially if you’re worried
mostly about XSS
Page 39
mitigate XSS …a more complete plan * move inline script out-of-line * remove inline event handlers * Remove use of eval and friends
(not as big) * Add the script-src directive
Page 40
Report only, callback url,
block
Options for Enforcing
Page 41
Wanna try it out? Try report only mode and tweak
as you go
Page 42
Browser Compatibility
Issues
Page 43
Resources
http://www.html5rocks.com/en/tutorials/security/content-security-policy/
https://developer.chrome.com/extensions/contentSecurityPolicy
http://en.wikipedia.org/wiki/Content_Security_Policy
https://www.youtube.com/watch?v=pocsv39pNXA
https://blog.justinbull.ca/ember-cli-and-content-security-policy-csp/