Content Security Policy

CSP stands for Content Security Policy.

Is a W3C specification offering the possibility to instruct the client browser from which location and/or which type of resources are allowed to be loaded. To define a loading behavior, the CSP specification use “directive” where a directive defines a loading behavior for a target resource type.

This article is based on version 1.1 of the W3C specification.

Directives can be specified using HTTP response header (a server may send more than one CSP HTTP header field with a given resource representation and a server may send different CSP header field values with different representations of the same resource or with different resources) or HTML Meta tag, the HTTP headers below are defined by the specs:

• Content-Security-Policy : Defined by W3C Specs as standard header, used by Chrome version 25 and later, Firefox version 23 and later, Opera version 19 and later.
• X-Content-Security-Policy : Used by Firefox until version 23, and Internet Explorer version 10 (which partially implements Content Security Policy).
• X-WebKit-CSP : Used by Chrome until version 25

The supported directives are:

• default-src : Define loading policy for all resources type in case of a resource type dedicated directive is not defined (fallback),
• script-src : Define which scripts the protected resource can execute,
• object-src : Define from where the protected resource can load plugins,
• style-src : Define which styles (CSS) the user applies to the protected resource,
• img-src : Define from where the protected resource can load images,
• media-src : Define from where the protected resource can load video and audio,
• frame-src : Define from where the protected resource can embed frames,
• font-src : Define from where the protected resource can load fonts,
• connect-src : Define which URIs the protected resource can load using script interfaces,
• form-action : Define which URIs can be used as the action of HTML form elements,
• sandbox : Specifies an HTML sandbox policy that the user agent applies to the protected resource,
• script-nonce : Define script execution by requiring the presence of the specified nonce on script elements,
• plugin-types : Define the set of plugins that can be invoked by the protected resource by limiting the types of resources that can be embedded,
• report-uri : Specifies a URI to which the user agent sends reports about policy violation

An introduction to CSP is available on HTML5Rocks. The browser support is shown on http://caniuse.com/#feat=contentsecuritypolicy

Risk

The risk with CSP can have 2 main sources:

1. Policies misconfiguration,
2. Too permissive policies.

Countermeasure

This article will focus on providing an sample implementation of a JEE Web Filter in order to apply a set of CSP policies on all HTTP response returned by server.

The policies will instruct the browser to have the loading behavior below using all HTTP headers defined in W3C Specs:

• Explicit loading definition of each resource type,
• Resources are loaded only from source domain,
• Inline style is not allowed,
• For JavaScript:
  • Inline script will be allowed because inline scripting is commonly used (can be disabled if target site does not use this type of scripting),
  • eval() function will be allowed in order to not break use of popular JavaScript libraries (ex: JQuery, JQueryUI, Sencha, …) because they use eval() function (it was the case last time I have checked the source code from CDN ;) ),

  The support for CSP directives is not the same level in major browsers (Firefox/Chrome/IE). It’s recommanded to check the support provided by target browsers (using site provided in link section of this article) in order to configure CSP policies. The sample below try to provide a set of policies from which your can add policies specific to your application context.

  This implementation provide an option to add CSP directives used by Firefox (Mozilla CSP directives).

  import java.io.IOException; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.security.SecureRandom; import java.util.ArrayList; import java.util.List; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.annotation.WebFilter; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.codec.binary.Hex; /** * Sample filter implementation to define a set of Content Security Policies. 
  * This implementation has a dependency on Commons Codec API. 
  * This filter set CSP policies using all HTTP headers defined into W3C specification. 
  * 
  * This implementation is oriented to be easily understandable and easily adapted. 
  */ @WebFilter("/*") public class CSPPoliciesApplier implements Filter  /** Configuration member to specify if web app use web fonts */ public static final boolean APP_USE_WEBFONTS = false; /** Configuration member to specify if web app use videos or audios */ public static final boolean APP_USE_AUDIOS_OR_VIDEOS = false; /** * Configuration member to specify if filter must add CSP directive used by Mozilla (Firefox) */ public static final boolean INCLUDE_MOZILLA_CSP_DIRECTIVES = true; /** Filter configuration */ @SuppressWarnings("unused") private FilterConfig filterConfig = null; /** List CSP HTTP Headers */ private ListString> cspHeaders = new ArrayListString>(); /** Collection of CSP polcies that will be applied */ private String policies = null; /** Used for Script Nonce */ private SecureRandom prng = null; /** * Used to prepare (one time for all) set of CSP policies that will be applied on each HTTP * response. * * @see javax.servlet.Filter#init(javax.servlet.FilterConfig) */ @Override public void init(FilterConfig fConfig) throws ServletException  // Get filter configuration this.filterConfig = fConfig; // Init secure random try  this.prng = SecureRandom.getInstance("SHA1PRNG"); > catch (NoSuchAlgorithmException e)  throw new ServletException(e); > // Define list of CSP HTTP Headers this.cspHeaders.add("Content-Security-Policy"); this.cspHeaders.add("X-Content-Security-Policy"); this.cspHeaders.add("X-WebKit-CSP"); // Define CSP policies // Loading policies for Frame and Sandboxing will be dynamically defined : We need to know if context use Frame ListString> cspPolicies = new ArrayListString>(); String originLocationRef = "'self'"; // --Disable default source in order to avoid browser fallback loading using 'default-src' // locations cspPolicies.add("default-src 'none'"); // --Define loading policies for Scripts cspPolicies.add("script-src " + originLocationRef + " 'unsafe-inline' 'unsafe-eval'"); if (INCLUDE_MOZILLA_CSP_DIRECTIVES)  cspPolicies.add("options inline-script eval-script"); cspPolicies.add("xhr-src 'self'"); > // --Define loading policies for Plugins cspPolicies.add("object-src " + originLocationRef); // --Define loading policies for Styles (CSS) cspPolicies.add("style-src " + originLocationRef); // --Define loading policies for Images cspPolicies.add("img-src " + originLocationRef); // --Define loading policies for Form cspPolicies.add("form-action " + originLocationRef); // --Define loading policies for Audios/Videos if (APP_USE_AUDIOS_OR_VIDEOS)  cspPolicies.add("media-src " + originLocationRef); > // --Define loading policies for Fonts if (APP_USE_WEBFONTS)  cspPolicies.add("font-src " + originLocationRef); > // --Define loading policies for Connection cspPolicies.add("connect-src " + originLocationRef); // --Define loading policies for Plugins Types cspPolicies.add("plugin-types application/pdf application/x-shockwave-flash"); // --Define browser XSS filtering feature running mode cspPolicies.add("reflected-xss block"); // Target formating this.policies = cspPolicies.toString().replaceAll("(\\[|\\])", "").replaceAll(",", ";") .trim(); > /** * Add CSP policies on each HTTP response. * * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, * javax.servlet.ServletResponse, javax.servlet.FilterChain) */ @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain fchain) throws IOException, ServletException  HttpServletRequest httpRequest = ((HttpServletRequest) request); HttpServletResponse httpResponse = ((HttpServletResponse) response); /* Step 1 : Detect if target resource is a Frame */ // Customize here according to your context. boolean isFrame = true; /* Step 2 : Add CSP policies to HTTP response */ StringBuilder policiesBuffer = new StringBuilder(this.policies); // If resource is a frame add Frame/Sandbox CSP policy if (isFrame)  // Frame + Sandbox : Here sandbox allow nothing, customize sandbox options depending on // your app. policiesBuffer.append(";").append("frame-src 'self';sandbox"); if (INCLUDE_MOZILLA_CSP_DIRECTIVES)  policiesBuffer.append(";").append("frame-ancestors 'self'"); > > // Add Script Nonce CSP Policy // --Generate a random number String randomNum = new Integer(this.prng.nextInt()).toString(); // --Get its digest MessageDigest sha; try  sha = MessageDigest.getInstance("SHA-1"); > catch (NoSuchAlgorithmException e)  throw new ServletException(e); > byte[] digest = sha.digest(randomNum.getBytes()); // --Encode it into HEXA String scriptNonce = Hex.encodeHexString(digest); policiesBuffer.append(";").append("script-nonce ").append(scriptNonce); // --Made available script nonce in view app layer httpRequest.setAttribute("CSP_SCRIPT_NONCE", scriptNonce); // Add policies to all HTTP headers for (String header : this.cspHeaders)  httpResponse.setHeader(header, policiesBuffer.toString()); > /* Step 3 : Let request continue chain filter */ fchain.doFilter(request, response); > /** * * * @see javax.servlet.Filter#destroy() */ @Override public void destroy()  // Not used > > 

  Tools

  There’s a number of free tools that can assist with the generating, evaluation and monitoring of content security policy.

  It’s very useful to include these types of tools into a web application development process in order to perform a regular automatic first level check (do not replace an manual audit and manual audit must be also conducted regularly).

  • CSP Tester (browser extension) to build and test the policy for your web application.
  • CSP Generator for automatically generating policies (chrome/firefox extension).
  • CSP Evaluator for evaluating existing content security policies for security misconfigurations.
  • Csper report collector for monitoring a content security policy using report-uri.

  Information Links

  • W3C Specifications: CSP 1.0, CSP 1.1
  • Introduction to CSP
  • CSP browser support
  • CSP readiness browser testing
  • CSP Quick Reference

  The OWASP ® Foundation works to improve the security of software through its community-led open source software projects, hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences.