Content Security Policy introduction
I blogged Content Security Policy about this a 2 year ago when it was still called 'Site Security Policy'. It started as a specification and an add-on, and turned into a patch a bit later. Finally it made it into Firefox 4 beta 1. I think CSP is the next web security revolution, so make yourself aware of how it works and the implications.
A simple example
- X-Content-Security-Policy: allow 'self'
A simple PHP example to see this in action:
- header("X-Content-Security-Policy: allow 'self'");
- A A CSP test
If the above code is opened in Firefox 4.0 beta1, the script will not execute, and a warning is added to the "Error Console" (in the Tools menu).
Not only does this header block inline scripts, it also blocks the following:
- eval(). This important for people using eval() to parse json responses.
- setTimeout and setInterval if the function is provided as a string.
- html event attributes (onclick, onload, etc.).
- All images, plugin objects (flash, quicktime etc.), audio, video, html frames and fonts not served from the same domain as the html page.
- XMLHttpRequest to domains other than the source domain.
Fortunately there are fine grained controls about what you want to allow from which domains. Here are some examples from the specification.
- X-Content-Security-Policy: allow 'self'; img-src *; \
- A A A A A A A A A A A A A Aobject-src media1.com media2.com *.cdn.com; \
- A A A A A A A A A A A A A Ascript-src trustedscripts.example.com
This example starts with "allow 'self'", allowing only content from the same domain. The "img-src *" rule allows images from any domain. "object-src: media1.com media2.com" allows tags to use files from media1.com, media1.com and the same domain as the html was served from. To learn more about these, I would recommend just taking a good look at the directives list in the specification.
Options and reporting
Truncated by Planet PHP, read more at the original (another 7000 bytes)