Hacking Book | Free Online Hacking Learning


ruan yifeng's weblog

Posted by agaran at 2020-02-27

Cross domain script attack XSS is the most common and harmful web security vulnerability.

In order to prevent them, a lot of programming measures should be taken, which is very troublesome. Many people ask, can we solve the problem fundamentally, the browser automatically forbids external injection of malicious script?

This is the origin of content security policy (CSP). This article details how to use CSP to prevent XSS attacks.

I. Introduction

The essence of CSP is the white list system. Developers clearly tell clients which external resources can be loaded and executed, which is equivalent to providing a white list. Its implementation and execution are all completed by the browser, and the developer only needs to provide the configuration.

CSP greatly enhances the security of web pages. Even if the attacker finds the vulnerability, he cannot inject the script unless he also controls a trusted host listed in the white list.

There are two ways to enable CSP. One is the content security policy field of HTTP header information.

Content-Security-Policy Content-Security-Policy: script-src 'self'; object-src 'none'; style-src cdn.example.org third-party.org; child-src https:

The other is through the < meta > tag of the web page.

<meta> <meta http-equiv="Content-Security-Policy" content="script-src 'self'; object-src 'none'; style-src cdn.example.org third-party.org; child-src https:">

In the above code, CSP is configured as follows.

<object> cdn.example.org third-party.org

When enabled, external resources that do not conform to CSP are blocked from loading.

Chrome's error message.

Firefox error message.

2、 Limit options

CSP provides a number of limiting options, covering all aspects of security.

2.1 resource loading restrictions

The following options limit the loading of various resources.

script-src style-src img-src media-src font-src object-src child-src frame-ancestors connect-src worker-src worker manifest-src

2.2 default-src

Default SRC is used to set the default values of the above options.

default-src Content-Security-Policy: default-src 'self'

The above code restricts all external resources, which can only be loaded from the current domain name.

If you set a single limit (such as font SRC) and default SRC at the same time, the former will override the latter, that is, font files will adopt the value of font SRC, and other resources will still adopt the value of default Src.

font-src default-src font-src default-src

2.3 URL restrictions

Sometimes, the web page will contact other URLs, which can also be restricted.

frame-ancestors base-uri <base#href> form-action <form#action>

2.4 other restrictions

Other safety related functions are also included in CSP.

block-all-mixed-content upgrade-insecure-requests plugin-types sandbox

2.5 report-uri

Sometimes, we want to document such behavior as well as prevent XSS. Report URI is used to tell the browser which URL to report the injection behavior to.

report-uri Content-Security-Policy: default-src 'self'; ...; report-uri /my_amazing_csp_report_parser;

The above code specifies that the injection behavior will be reported to the URL of / my ﹣ mounting ﹣ CSP ﹣ report ﹣ parser.


The browser will use the post method to send a JSON object. Here is an example.

POST { "csp-report": { "document-uri": "http://example.org/page.html", "referrer": "http://evil.example.com/", "blocked-uri": "http://evil.example.com/evil.js", "violated-directive": "script-src 'self' https://apis.google.com", "original-policy": "script-src 'self' https://apis.google.com; report-uri http://example.org/my_amazing_csp_report_parser" } }

3、 Content security policy report only

In addition to the content security policy, there is also a content security policy report only field, which indicates that the restriction option is not executed, but only records the behavior of violating the restriction.

Content-Security-Policy Content-Security-Policy-Report-Only

It must be used with the report URI option.

report-uri Content-Security-Policy-Report-Only: default-src 'self'; ...; report-uri /my_amazing_csp_report_parser;

4、 Option value

The following values can be set for each restriction option, which constitutes a white list.

example.org https://example.com:443 example.org/resources/js/ *.example.org *://*.example.com:* https: data: 'self' 'none'

Multiple values can also be side-by-side, separated by spaces.

Content-Security-Policy: script-src 'self' https://apis.google.com

If the same restriction option is used more than once, it will only take effect for the first time.

# 错误的写法 script-src https://host1.com; script-src https://host2.com # 正确的写法 script-src https://host1.com https://host2.com

If a restriction option is not set, any value is allowed by default.

5、 Special value of script SRC

In addition to normal values, script SRC can also set some special values. Note that the following values must be enclosed in single quotes.

script-src 'unsafe-inline' &lt;script> unsafe-eval eval setTimeout setInterval Function

The example of nonce value is as follows: when the server sends the web page, it tells the browser a randomly generated token.

Content-Security-Policy: script-src 'nonce-EDNnf03nceIOfn39fn3e9h3sdfa'

The script is embedded in the page. This token is required for execution.

<script nonce=EDNnf03nceIOfn39fn3e9h3sdfa> // some code </script>

The example of the hash value is as follows. The server gives a hash value of the code allowed to execute.

Content-Security-Policy: script-src 'sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng='

The following code will allow execution because the hash values match.

<script>alert('Hello, world.');</script>

Note that the < script > tag is not included when calculating the hash value.

In addition to the script SRC option, nonce and hash values can also be used in the style SRC option to control the style sheets embedded in the page.

script-src style-src

6、 Attention points

(1) Script SRC and object SRC are required unless default SRC is set.

script-src object-src default-src

As long as the attacker can inject the script, other restrictions can be circumvented. Object SRC must be set because external scripts can be executed in flash.


(2) Script SRC cannot use the unsafe inline keyword (unless accompanied by a nonce value) or allow data: URLs to be set.

script-src unsafe-inline data:

Here are two examples of malicious attacks.

<img src="x" onerror="evil()"> <script src="data:text/javascript,evil()"></script>

(3) Special attention must be paid to jsonp's callback functions.

<script src="/path/jsonp?callback=alert(document.domain)//"> </script>

In the above code, although the loaded script comes from the current domain name, the attacker can still execute malicious code by rewriting the callback function.

7、 Reference link