Video Converter
Audio Converter
Image Converter
PDF Converter
File Compressor
reining in the web with content security policy

Reining in the Web with Content Security Policy Sid Stamm Brandon - PowerPoint PPT Presentation

Oct 23, 2022 •218 likes •609 views

Reining in the Web with Content Security Policy Sid Stamm Brandon Sterne Gervase Markham Mozilla Mash-ups Anyone? But how do I stop malicious content? Content Injection DOM attacks and Defacement XSS All your page is belong to us!

  1. Reining in the Web with Content Security Policy Sid Stamm Brandon Sterne Gervase Markham Mozilla

  2. Mash-ups Anyone? But how do I stop malicious content?

  3. Content Injection DOM attacks and Defacement

  4. XSS All your page is belong to us!

  5. Filtering is Hard! <DIV STYLE="background-image:\0075\0072\006C\0028'\006a \0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c \0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"> <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")> <A HREF="h tt p://6&#9;6.000146.0x7.147/">XSS</A>

  6. Mutual Approval can be Expensive! may I? policy NO! may I? Really? ask bob NO! He said no.

  7. In-Band Policies are Dangerous! Javascript that polices itself? Is that like an application that tells you if it is a virus?

  8. Goals • Control of Site Content • Protection against XSS • Clickjacking Avoidance • Increased Security • Feasible Use

  9. Control of Site Content Document “Good” behavior... Suppress the “Bad”

  10. Grabbing the Reins • Content Rules & Regulations • Specify a “Normal Behavior” Policy • Catch and Block Violations <HTML> Content Policy Specify Rules Enforce Rules

  11. Part 1: Smooth Edges • Scripts served in files (not inline) - “javascript:” URIs - <tag on*=...> event registration - text nodes in <script> tags • Establish Code / Data Separation - eval(“foo”) and friends

  12. Part 2: Content Restrictions • Block requests for all resources ... unless explicitly allowed by a policy!

  13. CSP: Policies HTTP Response Header X-CONTENT-SECURITY-POLICY Directives to enforce listed within

  14. Speed Bump <meta http-equiv=....> ? • Designers may not have access to HTTP • Two entities want restrictions • Multiple policies?

  15. Speed Bump Intersecting Policies Given Policies P1 and P2: P e = {u | P 1 allows u AND P 2 allows u}

  16. Speed Bump <meta http-equiv=....> ? • policy in-band is too dangerous • Multiple header instances!

  17. CSP: Directives report-uri source directives policy-uri options

  18. CSP: Source Directives allow (default for these) img-src font-src media-src xhr-src script-src frame-ancestors object-src style-src frame-src

  19. Speed Bump • ‘self’ ... in pieces? https://‘self’:443 ‘self’://foo.com foo.com:‘self’

  20. ‘self’ ‘self‘ -> http://foo.com:80 bar.com:8080 -> http://bar.com:8080 http://foo.com -> http://foo.com:80 bar.com -> http://bar.com:80

  21. Speed Bump • Redirects http://foo.com http://bar.com http://duh.com

  22. Goals (revisited) • Control of Site Content • Protection against XSS • Clickjacking Avoidance • Only Increased Security • Feasible Use

  23. Goals (revisited) • Control of Site Content Expressive white-list policy language

  24. Goals (revisited) • Protection against XSS Only load scripts in external (whitelisted) files

  25. Goals (revisited) • Clickjacking Avoidance frame-ancestors

  26. Goals (revisited) • Only Increased Security Declarative syntax that can only reduce capabilities

  27. Goals (revisited) • Feasible Use (1) Built into Firefox nightlies (2) Deployed as patch for for Mozilla Add-Ons site (3) In progress for Wordpress http://core.trac.wordpress.org/ticket/10237

  28. Beneficial Effects • Content homogenization (mixed content control) • Data exfiltration (and CSRF) reduction • Violation reports = early alert

  29. CSP: Use Case 1 allow ‘self’ • Site wants all content to come from the same source (scheme, host, port)

  30. CSP: Use Case 2 allow ‘self’; frame-src ads.net • Site wants all content to come from the same source (scheme, host, port), except content in iframes may be served by a third-party advertising network.

  31. CSP: Use Case 3 allow ‘self’; img-src *; \ object-src *.teevee.com; \ script-src myscripts.com • Auction site wants to allow images from anywhere, plugin content from a trusted media provider network, and scripts only from its server hosting sanitized JavaScript

  32. CSP: Use Case 4 allow https://*.x.com; • Example site wants to force all content to be served via HTTPS on port 443, from any subdomain of example.com

  33. Wait! That breaks my site! • Good Option: convert your site • Less Good Option: disable parts of CSP

  34. Ramping Up • Disable some restrictions via options • Report-Only mode • “Writing a Policy” guide • “Converting your Site” guide • Maybe a policy recommendation tool?

  35. Wordpress

  36. Wordpress

  37. More Stuff • Specification: https://wiki.mozilla.org/Security/CSP/Specification • Nightly Firefox Now With http://nightly.mozilla.org CSP!!! • Progress: https://bugzilla.mozilla.org/show_bug.cgi?id=csp

Recommend

Theoretical approaches to the many-body electronic problem: an introduction Lucia Reining

Theoretical approaches to the many-body electronic problem: an introduction Lucia Reining

Theoretical approaches to the many-body electronic problem: an introduction Lucia Reining Palaiseau Theoretical Spectroscopy Group Theoretical approaches to the many-body electronic problem: an introduction Theoretical Spectroscopy: aims

1.73k views • 111 slides
DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and

DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and

DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and

863 views • 71 slides
Web Services Web Services Towards Web Services Towards Web Services Towards Web Services A

Web Services Web Services Towards Web Services Towards Web Services Towards Web Services A

Web Services Web Services Towards Web Services Towards Web Services Towards Web Services A long way to get here What is a Web Service? What is a Web Service? What is a Web Service? Web Services Web Services Software service :

553 views • 33 slides
Web Application Security Attacks on the Web Attacker Web User Application Web Database Web

Web Application Security Attacks on the Web Attacker Web User Application Web Database Web

IN3210 Network Security Web Application Security Attacks on the Web Attacker Web User Application Web Database Web Server Application 2 The OWASP Foundation The Open Web Application Security Project (OWASP) is a 501(c)(3)

1.22k views • 60 slides
Web Caching and Content Delivery Web Caching and Content Delivery Caching for a Better Web

Web Caching and Content Delivery Web Caching and Content Delivery Caching for a Better Web

Web Caching and Content Delivery Web Caching and Content Delivery Caching for a Better Web Caching for a Better Web Performance is a major concern in the Web Proxy caching is the most widely used method to improve Web performance

442 views • 22 slides
Web Content Audit Web Support Team Terminology Web content: is the textual, visual or aural

Web Content Audit Web Support Team Terminology Web content: is the textual, visual or aural

Web Content Audit Web Support Team Terminology Web content: is the textual, visual or aural content on websites. It may include: Text Images Sounds Documents videos and animations Content inventory is the

411 views • 14 slides
Web Mining Web Mining Web Mining Web Mining Web mining is the use of data mining techniques

Web Mining Web Mining Web Mining Web Mining Web mining is the use of data mining techniques

What is Web Mining? Wh t i W b Mi i What is Web Mining? Wh t i W b Mi i ? ? Web Mining Web Mining Web Mining Web Mining Web mining is the use of data mining techniques to automat cally d scover and extract nformat on automatically

778 views • 20 slides
Lecture 1: Semantic Web and RDF Aidan Hogan aidhog@gmail.com THE WEB The Web is now 26 years

Lecture 1: Semantic Web and RDF Aidan Hogan aidhog@gmail.com THE WEB The Web is now 26 years

Lecture 1: Semantic Web and RDF Aidan Hogan aidhog@gmail.com THE WEB The Web is now 26 years old Evolution of the Web The Future of the Web? THE SEMANTIC WEB The Semantic Web what is the Semantic Web? Semantic Web?

1.36k views • 99 slides
Web Mining Web Mining to automatically discover and extract information from Web

Web Mining Web Mining to automatically discover and extract information from Web

What is Web Mining? What is Web Mining? Web mining is the use of data mining techniques Web Mining Web Mining to automatically discover and extract information from Web documents/services (Etzioni, 1996, CACM 39(11)) 1 2 The Web The Web

470 views • 23 slides
Web Scraping 1 / 9 Web Scraping Two ways to mine data from the web The hard way, by web

Web Scraping 1 / 9 Web Scraping Two ways to mine data from the web The hard way, by web

Web Scraping 1 / 9 Web Scraping Two ways to mine data from the web The hard way, by web scraping The easy way, using web service APIs Well see examples of both. 2 / 9 Web Scraping Web scraping, a.k.a. screen scraping, means getting

486 views • 9 slides
Agenda Web MVC-2: Apache Struts Drawbacks with Web Model 1 Web Model 2 (Web MVC) Rimon

Agenda Web MVC-2: Apache Struts Drawbacks with Web Model 1 Web Model 2 (Web MVC) Rimon

Agenda Web MVC-2: Apache Struts Drawbacks with Web Model 1 Web Model 2 (Web MVC) Rimon Mikhaiel Struts framework rimon@cs.ualberta.ca Example of workflow management. A Hello World Example Web Model 2 Web Model 1 Web MVC

612 views • 4 slides
Presenting 2D Web Content in XR TPAC 2018 Overview 2D Web Content in 3D XR - Background

Presenting 2D Web Content in XR TPAC 2018 Overview 2D Web Content in 3D XR - Background

Presenting 2D Web Content in XR TPAC 2018 Overview 2D Web Content in 3D XR - Background Rendering Context - Potential implementation paths forward - Open questions, concerns 2D Web Content in 3D XR Rendering Context Background - 2D

315 views • 13 slides
Web Security CSP and Web Cryptography Habib Virji Samsung Open Source Group

Web Security CSP and Web Cryptography Habib Virji Samsung Open Source Group

Web Security CSP and Web Cryptography Habib Virji Samsung Open Source Group habib.virji@samsung.com FOSDEM 2015 Agenda Why Web Security Cross site scripting Content security policy (CSP) CSP Directives and reporting

719 views • 44 slides
CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Web Security Web Attacker Sets up

CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Web Security Web Attacker Sets up

CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Web Security Web Attacker Sets up malicious site visited by victim; no control of network Alice Network Security Network Attacker Intercepts and controls network communication

910 views • 44 slides
Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 18: Web

Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 18: Web

Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTML + HTTP CSS data request web server backend systems Chapter 18: 3 Web 1.0 Shorthand for web

465 views • 29 slides
1 Web Traffic Characterization Zipf Web Traffic Characterization Zipf [Breslau/Cao99] and

1 Web Traffic Characterization Zipf Web Traffic Characterization Zipf [Breslau/Cao99] and

Caching for a Better Web Caching for a Better Web Performance is a major concern in the Web Proxy caching is the most widely used method to improve Web performance Web Caching and Content Delivery Web Caching and Content Delivery

586 views • 4 slides
About me Trevor Bryant Security minded DevOps nerd Knight of NIST Auditor,

About me Trevor Bryant Security minded DevOps nerd Knight of NIST Auditor,

About me Trevor Bryant Security minded DevOps nerd Knight of NIST Auditor, Analyst, Engineer, Architect Tech policy Instructor @DC_TOOOL Conference Organizer / Volunteer apporima.com @apporima api_security I

206 views • 17 slides
Project INfrastructures for the Future Internet commuNITY Erik Rodenbach COST Exploratory

Project INfrastructures for the Future Internet commuNITY Erik Rodenbach COST Exploratory

Introduction to the Infinity Project INfrastructures for the Future Internet commuNITY Erik Rodenbach COST Exploratory Workshop on Smart Cities , 26 -27 Sep 2011, Paris Background and Overview of FI-PPP Supporting programmes that accelerate

187 views • 17 slides
W l Welcome! ! The webinar will begin at The webinar will begin at 12:00 Eastern/9:00 Pacific

W l Welcome! ! The webinar will begin at The webinar will begin at 12:00 Eastern/9:00 Pacific

W l Welcome! ! The webinar will begin at The webinar will begin at 12:00 Eastern/9:00 Pacific Audio Tips Todays audio is streaming to your computers speakers or headphones. Too loud or soft? Adjust volume level in the Audio broadcast

502 views • 38 slides
PROGRAMME 6.15pm Welcome &amp; Briefing by Associate Chair (Academic) Introduction to NTU

PROGRAMME 6.15pm Welcome &amp; Briefing by Associate Chair (Academic) Introduction to NTU

PROGRAMME 6.15pm Welcome &amp; Briefing by Associate Chair (Academic) Introduction to NTU Libraries Resources and Access by 6.30pm Mr Law Loo Shien (CMIL) 6.45pm Proceed to Programme Briefing (venues): Info Studies &amp; Knowledge Management

952 views • 22 slides
Browser Security Part 2 Recap XSS 3 different types Common aim/theme Steal user

Browser Security Part 2 Recap XSS 3 different types Common aim/theme Steal user

Browser Security Part 2 Recap XSS 3 different types Common aim/theme Steal user credentials (session ID, cookies, etc.) CSRF Cross-Site Request Forgery is an attack that forces an end user to execute unwanted actions on a

432 views • 23 slides
User authentication on the web Joseph Bonneau

User authentication on the web Joseph Bonneau

User authentication on the web Joseph Bonneau Computer Laboratory Part II Security lecture 2012 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 1 / 41

1.73k views • 132 slides
Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security Information Systems Course Business Course site: https://67327.cmuis.net Schedule Reading Assignments in-class labs -- laptops w/ 272

1.32k views • 11 slides
Search Snippet Evaluation Mikhail Lebedev, Pavel Braslavski, Denis Savenkov CLEF 2011 CLEF 2011

Search Snippet Evaluation Mikhail Lebedev, Pavel Braslavski, Denis Savenkov CLEF 2011 CLEF 2011

Search Snippet Evaluation Mikhail Lebedev, Pavel Braslavski, Denis Savenkov CLEF 2011 CLEF 2011 What is a snippet What is a snippet # Why is it so important Why is it so important Search is ranking &amp; representation Bad snippets spoil good

359 views • 19 slides

More recommend

Explore More Topics

Stay informed with curated content and fresh updates.

animals pets art culture automotive transportation business finance computer internet construction architecture education-career electronics communication

Logo Sambuz

Unleash a World of Digital Possibilities—Browse, Share, and Explore Content Without Boundaries

Useful Links

About Us Privacy Services FAQ's Contact

Newsletter

Stay Informed & Inspired—Subscribe for the Latest Updates, Tips, and Exclusive Content Directly to Your Inbox.

Mail Us

mail@sambuz.com

2026 SAMBUZ, All right reserved.