Cross domain script attack XSS is the most common and harmful web security vulnerability.
In order to prevent them, a lot of programming measures should be taken, which is very troublesome. Many people ask, can we solve the problem fundamentally, the browser automatically forbids external injection of malicious script?
This is the origin of content security policy (CSP). This article details how to use CSP to prevent XSS attacks.
I. Introduction
The essence of CSP is the white list system. Developers clearly tell clients which external resources can be loaded and executed, which is equivalent to providing a white list. Its implementation and execution are all completed by the browser, and the developer only needs to provide the configuration.
CSP greatly enhances the security of web pages. Even if the attacker finds the vulnerability, he cannot inject the script unless he also controls a trusted host listed in the white list.
There are two ways to enable CSP. One is the content security policy field of HTTP header information.
Content-Security-Policy
Content-Security-Policy: script-src 'self'; object-src 'none';
style-src cdn.example.org third-party.org; child-src https:
The other is through the < meta > tag of the web page.
<meta>
<meta http-equiv="Content-Security-Policy" content="script-src 'self'; object-src 'none'; style-src cdn.example.org third-party.org; child-src https:">
In the above code, CSP is configured as follows.
- Script: only trust the current domain name
- < Object > tag: do not trust any URL, that is, do not load any resources
<object>
- Stylesheet: only cdn.example.org and third-party.org are trusted
cdn.example.org
third-party.org
- Frame: must be loaded using HTTPS protocol
- Other resources: Unlimited
When enabled, external resources that do not conform to CSP are blocked from loading.
Chrome's error message.
Firefox error message.
2、 Limit options
CSP provides a number of limiting options, covering all aspects of security.
2.1 resource loading restrictions
The following options limit the loading of various resources.
- Script SRC: external script
script-src
- Style SRC: style sheet
style-src
- IMG SRC: image
img-src
- Media SRC: media files (audio and video)
media-src
- Font SRC: font file
font-src
- Object SRC: plug-in (such as flash)
object-src
- Child SRC: Framework
child-src
- Frame ancestors: embedded external resources (such as < frame >, < iframe >, < embed > and < applet >)
frame-ancestors
- connect-src:HTTP 连接(通过 XHR、WebSockets、EventSource等)
connect-src
- worker-src:worker脚本
worker-src
worker
- Manifest SRC: manifest file
manifest-src
2.2 default-src
Default SRC is used to set the default values of the above options.
default-src
Content-Security-Policy: default-src 'self'
The above code restricts all external resources, which can only be loaded from the current domain name.
If you set a single limit (such as font SRC) and default SRC at the same time, the former will override the latter, that is, font files will adopt the value of font SRC, and other resources will still adopt the value of default Src.
font-src
default-src
font-src
default-src
2.3 URL restrictions
Sometimes, the web page will contact other URLs, which can also be restricted.
- Frame ancestors: restrict web pages embedded in frames
frame-ancestors
- base-uri
base-uri
<base#href>
- form-action
form-action
<form#action>
2.4 other restrictions
Other safety related functions are also included in CSP.
- Block all mixed content: HTTPS web page cannot load HTTP resources (browser has been turned on by default)
block-all-mixed-content
- Upgrade secure requests: automatically change all HTTP links loaded with external resources on the web page to HTTPS protocol
upgrade-insecure-requests
- Plugin types: restrict plug-in formats available
plugin-types
- Sandbox: restrictions on browser behavior, such as no pop-up windows.
sandbox
2.5 report-uri
Sometimes, we want to document such behavior as well as prevent XSS. Report URI is used to tell the browser which URL to report the injection behavior to.
report-uri
Content-Security-Policy: default-src 'self'; ...; report-uri /my_amazing_csp_report_parser;
The above code specifies that the injection behavior will be reported to the URL of / my ﹣ mounting ﹣ CSP ﹣ report ﹣ parser.
/my_amazing_csp_report_parser
The browser will use the post method to send a JSON object. Here is an example.
POST
{
"csp-report": {
"document-uri": "http://example.org/page.html",
"referrer": "http://evil.example.com/",
"blocked-uri": "http://evil.example.com/evil.js",
"violated-directive": "script-src 'self' https://apis.google.com",
"original-policy": "script-src 'self' https://apis.google.com; report-uri http://example.org/my_amazing_csp_report_parser"
}
}
3、 Content security policy report only
In addition to the content security policy, there is also a content security policy report only field, which indicates that the restriction option is not executed, but only records the behavior of violating the restriction.
Content-Security-Policy
Content-Security-Policy-Report-Only
It must be used with the report URI option.
report-uri
Content-Security-Policy-Report-Only: default-src 'self'; ...; report-uri /my_amazing_csp_report_parser;
4、 Option value
The following values can be set for each restriction option, which constitutes a white list.
- Host name: example.org, https://example.com:443
example.org
https://example.com:443
- 路径名:example.org/resources/js/
example.org/resources/js/
- Wildcard characters: *. Example.org, *: / / *. Example. Com: * (for any protocol, any subdomain name, any port)
*.example.org
*://*.example.com:*
- Protocol name: HTTPS:, data:
https:
data:
- Keyword 'self': current domain name, quotes required
'self'
- Keyword 'none': prohibit loading any external resources, quotation mark required
'none'
Multiple values can also be side-by-side, separated by spaces.
Content-Security-Policy: script-src 'self' https://apis.google.com
If the same restriction option is used more than once, it will only take effect for the first time.
# 错误的写法
script-src https://host1.com; script-src https://host2.com
# 正确的写法
script-src https://host1.com https://host2.com
If a restriction option is not set, any value is allowed by default.
5、 Special value of script SRC
In addition to normal values, script SRC can also set some special values. Note that the following values must be enclosed in single quotes.
script-src
- 'unsafe inline': allows execution of embedded & lt; script > tags and event listening functions
'unsafe-inline'
<script>
- Unsafe Eval: allows strings to be executed as code using functions such as Eval, setTimeout, setinterval, and function.
unsafe-eval
eval
setTimeout
setInterval
Function
- Nonce value: each HTTP response gives an authorization token, which is required for the embedded script to execute
- Hash value: list the hash value of the script code allowed to execute. The hash value of the embedded script on the page can only be executed if it matches.
The example of nonce value is as follows: when the server sends the web page, it tells the browser a randomly generated token.
Content-Security-Policy: script-src 'nonce-EDNnf03nceIOfn39fn3e9h3sdfa'
The script is embedded in the page. This token is required for execution.
<script nonce=EDNnf03nceIOfn39fn3e9h3sdfa>
// some code
</script>
The example of the hash value is as follows. The server gives a hash value of the code allowed to execute.
Content-Security-Policy: script-src 'sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng='
The following code will allow execution because the hash values match.
<script>alert('Hello, world.');</script>
Note that the < script > tag is not included when calculating the hash value.
In addition to the script SRC option, nonce and hash values can also be used in the style SRC option to control the style sheets embedded in the page.
script-src
style-src
6、 Attention points
(1) Script SRC and object SRC are required unless default SRC is set.
script-src
object-src
default-src
As long as the attacker can inject the script, other restrictions can be circumvented. Object SRC must be set because external scripts can be executed in flash.
object-src
(2) Script SRC cannot use the unsafe inline keyword (unless accompanied by a nonce value) or allow data: URLs to be set.
script-src
unsafe-inline
data:
Here are two examples of malicious attacks.
<img src="x" onerror="evil()">
<script src="data:text/javascript,evil()"></script>
(3) Special attention must be paid to jsonp's callback functions.
<script
src="/path/jsonp?callback=alert(document.domain)//">
</script>
In the above code, although the loaded script comes from the current domain name, the attacker can still execute malicious code by rewriting the callback function.
7、 Reference link
- CSP Is Dead, Long Live CSP! , by Lukas Weichselbaum
- An Introduction to Content Security Policy, by Mike West
(end)