Wednesday, September 19, 2012

User Specified Content Security Policy

Content Security Policy is a declarative policy that restricts what content can load on a page.  Its primary purpose is to mitigate Cross-Site Scripting vulnerabilities.  The core issue exploited by Cross-Site Scripting (XSS) attacks is the lack of knowledge in web browsers to distinguish between content that’s intended to be part of web application, and content that’s been maliciously injected into web application.
To address this problem, CSP defines the Content-Security-Policy HTTP header that allows web application developers to create a whitelist of sources of trusted content, and instruct the client browsers to only execute or render resources from those sources.  However, it is often difficult for developers to write a comprehensive Content Security Policy for their website.  They may worry about breaking their page by blocking unanticipated but necessary content.  They may not be able to easily change the CSP header for their site, which makes it challenging for them to experiment with policies until they find one that best protects their page without breaking site functionality.
UserCSP changes this!  A developer can now view the current policy applied to their site and create their own custom policy.  They can choose to apply their custom policy on the site, or even combine their policy with the website’s existing policy.  When combining policies, they have an option to choose from the strictest subset of the two, or the most lax subset.  They can locally test their site with the custom policy applied and tweak the policy until they have one that works.
The coolest feature of UserCSP is the Infer-CSP tab.  This feature can help a developer derive a usable and secure policy for their site.  By looking at the content the website loads, the add-on determines the strictest set of CSP rules it can apply to the site without breaking the current page.  The inferred policy is provided in the proper syntax for the CSP Header, so all a developer needs to do is start serving this policy for their site via the CSP header.
Please visit Tanvi's Blog on Mozilla for more information.