Two Tools To Get Your Content Security Policy In Shape

Content Security PolicyContent Security Policy is a key tool in the battle against cross-site scripting attacks. Unfortunately, a recent study from Google reveals that web developers are shooting themselves in the foot where CSP is concerned. A pair of new tools from Google — CSP Evaluator and CSP Mitigator — are intended to help developers get it right.

Content Security Policy allows web developers to control which assets a browser can load for a web page. Typically, web pages contain a number of JavaScript and CSS files, images, and other assets. Assets can be loaded from the site’s server, from a CDN, or from a third-party hosting service. Some assets, in particular JavaScript files, can load more files from other locations. A developer may have no idea exactly what is being loaded by their pages, which is not ideal for security.

Cross-site scripting attacks involve the injection of JavaScript into a page by a malicious third-party. If the developer has taken the usual precaution of escaping all user-generated content — which can be created via form elements, API calls, and URL parameters, among others — there’s no problem. However, it’s all too easy to mistakenly neglect to escape content, allowing an attacker to inject code that will be run by the browser of anyone who loads the page.

Content Security Policy prevents situations like this arising in two main ways. Firstly by only allowing whitelisted sources to load assets on a page, and, secondly, by disallowing inline JavaScript. There’s no point controlling which files can be loaded if an attacker can take advantage of cross-site scripting vulnerabilities to insert inline JavaScript. CSP substantially reduces the risk of a successful cross-site scripting attack.

Or at least it would if developers configured it right, but, as Google found, most developers are not using CSP correctly. In fact, many of them are disabling the prevention of inline JavaScript, which renders the whole exercise pointless.

CSP Evaluator is a new tool from Google that allows developers to visualise the effects of their site’s Content Security Policy. It’ll hopefully help developers choose secure content policies, and understand the inherent risk in disabling one of the main planks of a secure policy.

CSP Mitigator is a browser extension — currently available for Chrome — that lets developers apply custom CSP policies to their sites and web application. As with CSP Evaluator, the extension helps developers to understand the consequences of specific policies and to identify parts of their application that might be impacted by a policy. Hopefully, the browser plugin guide developers to the creation of secure policies that allow sites and apps to function as intended, without sweeping decisions like allowing inline JavaScript.

Thousands of developers have recognized that Content Security Policy is an incredible addition to their security toolkit, but many haven’t implemented it correctly. Together, CSP Validator and CSP Mitigator may contribute to creating a safer web by helping developers implement sensible CSP policies.

Matthew Davis is a technical writer and Linux geek for Future Hosting.

Dedicated Server Special

Take advantage of our Double RAM offer on the E3-1230v2 4 x 3.30GHz+HT server! Only $134.95 per month. Managed and Unmanaged options available at checkout.