CSP, SRI and CORS
Written on 13 February 2018, 09:10pm
Content Security Policy (CSP)
The modern browsers are able to interpret the
Content-Security-Policy HTTP header that defines which dynamic assets are allowed to load on a given website. Alternatively, the CSP content can be sent using
meta HTML tags.
// allow everything but only from the same origin: default-src 'self'; // allow JS but only from example.eu and from the same origin: script-src 'self' https://example.eu/myapp; // allow XMLHttpRequests but only from example.eu and the same origin: connect-src 'self' https://example.eu/myapp;
The amazing thing about CSP is the
Report-URI attribute, which will report the deviations from the policy to the specified URL:
Content-Security-Policy: default-src 'self'; report-uri http://reportcollector.example.com/collector.cgi
One of the services collecting such reports is report-uri.com.
SRI is a very simple and effective concept: the modern browsers load a given asset only if its hash matches the one defined in the ‘integrity’ attribute.
So instead of doing this:
it’s recommended to do this:
or even better, link each version of the remote asset with its own URL and hash:
Cross-Origin Resource Sharing (CORS)
– a script on client.com wants to access some data from server.com (ex. XMLHttpRequest)
– by default, the same-origin browser policy blocks this request
– but by adding some special response headers, server.com can allow the script client.com to access the data.
The modern browsers have implemented a mechanism allowing scripts (like
XMLHTTPRequest) to make cross-domain requests. This is Cross-Origin Resource Sharing and it uses a relatively less used HTTP request method (
OPTIONS) plus several response headers (
Resources from Mozilla Development Network (MDN):
Over the weekend, hackers injected thousands of websites—including UK and US government sites—with code that hijacked visitors’ computers to mine cryptocurrency.
The attack, noticed on Sunday by security researcher Scott Helme, was pulled off by compromising a single plugin that was used by all of the affected sites: Browsealoud, a reputable suite of accessibility and translation tools. According to Helme, the plugin was edited by attackers to embed a script that uses a site visitor’s computer to do the complex math that generates new digital coins (in this case, Monero). This process, known as “mining,” can slow down the victim’s computer.
Cryptocurrency Mining Hack That Compromised Thousands of Sites ‘Could Have Been a Catastrophe’
Written by Dorin Moise (Published articles: 198)