Content Security Policy — Lessons Learned at Yahoo

so I'm going to give an introduction about CSP and also share some of the experience is deploying CSP at Yahoo and also introduce some tools which probably be useful for you later to CSP so let's start CSP content security policy so we can also really start talking CSP without mentioning cross-site scripting so what is cross site scripting so cross-site scripting is execution of malicious code injected by an attacker on victims web just in a sorry about it so what is crossing something is basically a execution of malicious code injected by an attacker on routines web so I would say cross-site scripting is kind of a mosquito of the web so it can create some anions and itching on your

surface and can also go it can become very dangerous so for example like if you are an exercise it can lead to Corinne chill theft for example if you have a you can set up a form and they can take your credentials and sub me to the evil calm or they can read your emails if here if it is the application email service or it get it can do matter distribution can do site defacement so there are a lot of things you can do so many times it's okay but at times get it can get very dangerous so what is the primary reason the primary reason is improper neutralization of input when we rented on a web page so that's a primary

thing so you are taking input and when you render it on the web page and without neutralizing the input then you will get a cross-site scripting so there are three different classes of a cross-site scripting one is reflected another one is stored and Dom Bay successes so the reflector excess of work when the user when you pass on a untrusted input which server take it and and insert into your web page and returning back to browser and the core get executed on your browser that's kind of reflector you pass an input there's a plug it back to a browser and getting loaded in your webpage in the case of stored excesses is this is very

similar but it gets stored in the web server and get insert under different webpages for example like if you are reading an article which support some comments all right I put some comments and when you read the same article you can see the comment in that article so if that comment section is susceptible to exercise then your code get executed there

and in the case of Dom accessor is directly manipulating the Dom in the browser side so you're taking the input and injecting into your dorm and that is causing some Dom excesses so it remained as a top threat in the our top 10 list since its first publication 2004 so it's been there for a while we know about this at least for more than a decade this issue and let's see what all the remedies so we since we know about this problem for long long time and we have some remedies so the first thing is input validation and output encoding so input validations whenever the data enter into our application you need to make sure that the data is valid for

example like you are taking a input phone number input that you have to make sure that you only accept numbers and from some optional hyphen or something like that so you really make sure that is validated another thing is output encoding so the whole thing about XSS is related output encoding so the output encoding is you're taking input and place into HTML so when you place it your content into HTML then context matters so the context of the warrior place in the HTML that's very important for example like if you are placing the data into an HTML context then you need to do HTML encoding whereas you are placing the data in the JavaScript contact then you need to do javascript

encoding so that's why i said improper neutralization that's the main thing about cross-site scripting so the cross i hope team we can we can completely solve you are really doing the output encoding and the second thing is whitelisting trusted contents and tags so basically if you are a publisher then you need to depend upon lot of contacts from a third party or you need to put a lot of tags in your site so so one way is you need to whitelist based on some security review and also some legal agreement exists between you and the and the third party and the third one is isolation because in many cases we cannot really control the input or the

data in that case we isolate using frames for example like we're placing ads so you place ad in a separate say five frames that in that way your application is not affected by displaying the ads so is a graph of a CVS disclosed xss vulnerabilities for last 15 years you can see the excesses is still a perryland it's not really reduced for last 15 years at least four laps ten years is pretty much there are a lot of cv is disclosed so now you understand that with all these remedies we still have this problem so what is CSP content security policy it's an additional layer of protection it is not going to replace the existing traditional remedies or

mechanisms because you still need input validation still need output encoding and this is an additional protection which prevents this vulnerability get being exploited that's the thing it is not going to stop a it won't fix access it but it just prevent it so let's look deep into CSP so what is CSP CSP is a browser mechanism that allow you to widely set up locations from each other plication can load resources from so and CSP is completely backward compatible in the sense that even if your browser is not implemented CSP it is not going to have any side effects it won't work but it won't have any side effects so that's a good part so you can specify a policy

on a web page with a CSP HTTP header something like below so this is the name of the header called content security policy and this is called directive directives is that this is a default source it says that oh this application can only load resources from example com so your application can have a lot of resources like images I frames and scripts stylesheets this other kind of resources which is part of application so now we are white listing this as your domain from which you can only load resources or if you are trying to load the resources from dummy which is different from example calm and that is that means it's violation and browser will will trigger a violation and you

get reported back to our end point if you have mentioned it so now let's talk about policy delivery so how the policies are tell words there are two primary mechanism through which you can deliver the policy and the first one is that you can use HTML meta tag to specify a Content security policy so if you are using meta tag then you need to the meta tag should be placed on top of the HTML page and one thing really I want to notice Firefox is not implemented this feature meta tag thing so the recommendation is not to use they use only for testing and for real production thing you always use HTTP header so the second mechanism means to

use is delivery or using HTTP header so this is HTTP header name there are two modes of operation here policy delivery one is content security policy that is enforced mode so your specific putting a policy and if the browser find a violation is going to block it completely that's called nforce model but there's another more cold report only mode is basically used for monitoring so it's kind of a dry run it's not going to proc anything so let's say if you want to try out CSP on your application and very easy if the report only mode probably be a good way to go because very easy for you to convince the product owner saying there is not

going to have any kind of malfunction just by enabling it because the dry run is not going to block but you still can learn a lot of information by sitting up in a report only mode

i'll show you i will show you an example so here is a page i am trying to protect is a test or HTML and i'm going to apply this ESP policy this policy director is default SRC self and there are two directives here one is default SRC another is a report uri so what does it mean so the self means you can load resources from the protector resources origin so essentially self means in areas of your protector resources example.com and report you Rin point where the browser or the user agents and reports to if they find any violations so let's see what will happen so here you are trying to open this page in your

browser and can see an image which is order form method from a location which is not it is different from self I mean which is different from this so you definitely expect a violation because this page is trying to load a resource from a location which is not whitelisted in the policy so when you try to load it you throw a violation error you can see it in the web console so this is this is this overall idea and this is how it work so now when when the browser encounter a violation it sent a violation report if you provide at airport URI and let's look into the violation report how it looks like so

the the violation of the ports are in JSON format and and the fields are kind of self-explanatory but I'll go over it so document URI is is a URI you are trying to protect or the web page you are trying to protect where you place your CSV policy and the referrer is referring is a regular referral thing what is referring this document URI if it exists is there otherwise it would be empty and the bro of URI is the ones getting blocked because it is not there in the whitelist and why letter directive is a directive which is applied and found that it's related and effective I'll talk about effective in you few minutes because you

need to talk about separate or specific directives so original policy is the one you sit in the CSP so this is very interesting because we are encounter cases were original policy is actually the origin policy as seen by user agent so many times it is not as same as the policy we set because the policy at times get modified by some browser extension so you expect this policies as same as the one you sit in the headers but that might not be the case always at times we observe that it differs so that's very useful tool so now we'll talk about content security policy directives so we have the policy policies are express CSP consists of set

of policies or directives and the directives so we have separate directories

yeah so CSP consists of setup varieties and each directive correspond to a specific resource type and you can see here this for example is a suppressor sees a directive which basically control what resources you can load part JavaScript you can load so script SRC directly correspond to script tag so essentially the script source contain a set of whitelisted location from which you can load and execute scripts the same with the images are see ya which basically restrict from were you can load the resources from the same for media media is basically correspond to audio and video tags in the HTML and you can really control audion video and its associated text child as I see determine

what I frames you can put in your HTML so it's basically iframe this you can whitelist these domains or location from which you can who can have I frames and the connected sir she is a Jax thing so you can Whiteley's the places where you can make a call as x call and also use for even so that is push notification thing and web web sockets so so it's kind of fine granular kind of thing and you can use all these tags to have fine granular resource control like from word you can load resources from so there is something called t falta saucy so default assess if if you don't have resource specific directive then it will

fall back to divorce SRC directive so it applies to if any of these things are missing then it will fall back to a default SRC directive

so we have more directives so the one is base URI is for document base URLs can whitelist here and form actions is something base URI form action most of the things here are actually at as part of CSP 2 i'll talk about CSP too soon so the form action basically control were you can submit your form so that's what is ur initially like the CSP you can you can exploit a CSP foot have put a form which exactly look like your login page and accept user input username password and submit to google com so here is the form action you can't really control weather and all you can submit the CSP page we're under we can submit the form

actually so one thing and second one is frame ancestors this is also part of the CSP too it's very useful and important because you probably would have heard about clickjacking and you zex frame options so this is an alternate way of specifying who can frame your page so it's very useful tool and actually this a duplicate or overrides exclaim options so going forward if at all if you are using its frame options and Polly's but this probably be a good option plug-in type this is also part of CSP too so here we control what kind of plugins you want to support for example like flash silver Microsoft's Silverlight PDFs so you can really Whiteley's what you

really want so you have seen like lot of flash one of it is all those things so if you want to disable flash then you know you have closed from your white lace in that way flash won't get played on your web page sandbox attribute is very similar to the iframe San back to attribute to put some restrictions on what you can run on your iframe by controlling by creating some unique same origin and restrict JavaScript the strict form submission things like that the report you are i specify the URL which user agents and reports about policy violations so for keywords there are certain keywords I already introduced kewell code self so you have someone does idea about what is what our

keywords are so we have more keywords so I'll go other keywords so the first one is none so if you sit let's say for example deportes RC none that means your application is self-contained and you cannot make any external requests so so if you're an application is completely kind of self-contained then this is a very good option and self essentially restrict access to applications on origin so you cannot load resources from location outside of applications domain application origin unsafe inline that's interesting so CSP by default bangla would not allow inline script and style so what is inline script I'm side is a mixing of JavaScript style within HTML so it is because of security reason I

explained in next few slides so unsafe inline basically relax the restriction and allow you to have inline script so the reason where you need to allow is because there are a lot of legacy application which have inline JavaScript and off so to keep to at least to start probably you need to relax the restrictions so that we need to use unsafe inline and say you are the same way we don't allow evil settimeout function constructors so the unsaved you are basically relax or restriction there are many cases were you your application depend on some framework some third-party framework which may use these functions internally even though if it is a safe manner it will throw an

error so this will relax essentially those restrictions while while car as you know I say basically in this case default SRC star means it there is no there is no pup there is no content security policy essentially means it is as same as no policy will go over CSP versions and browser support so we have two major revision with CSP CSP 1 and CSP to the CSP one is released our available since 2012 and is available on all modern browsers including Chrome Firefox Opera Safari and edge is a very limited support on IE but is very limited and most of the face directives are part of CSP one and the CSP to is released very recently couple of months

back and add all the interesting directives such as forum actions frame ancestors plug-in types are all very useful plug-in directives and also duplicated frame source in favorite child SRC so the browser support chrome to browser support is the available in chrome CSP to support is available in Chrome Firefox and opera and it is not a right now everyone Safari and edge now look at some examples and let's see so here so you are going to have a policy you set on X ESP example calm and the policies say that default source itself I mean if all source to same origin and now we are trying to load a chava script so now you have to tell me whether this

is a violation or not this is going to have a violation can you can you take a guess yes or no how JK is correct there is no violation here whatever what about this no yeah that's correct and what about this y-yeah HTTP is correct and what about this is going to fire a violation yeah yes is going to file a fire a violation because domain is different what about this yes because the port is different all right so I mentioned about unsafe inline so why why CSP it is not allowing an inline JavaScript so I will explain you so let's say you have a PHP script which taken user input and insert into your page okay so that's what is

happening so you you have an endpoint which take a username equal to something and this is your PHP script so you can see here is accepting the input and place into HTML code is generated by the PHP so actually this is vulnerable because you are not really validating the input we are completely the PHP blindly taking the user input and place the HTML now here is html5 a steamer file generated by the PHP script which you get Lord and your browser now you see how the browser can identify a legitimate JavaScript with an injected JavaScript it is almost impossible to identify unless you give some clue correct so so that's a problem with the inline JavaScript so browser is for

browsers very difficult to identify or differentiate between these two scripts because this is a legitimate script and this is the injector scrip it's very hard to figure out which is good which is bad so that is the problem of the inline JavaScript how can we solve it the recommended practice the recommended practice is to externalize inline JavaScript pen style so you need to pull out the JavaScript and put it into a separate file but the problem is if it's for existing application it may involve significant effort because there will be lot of pages which are kind of in line and in addition some people argue that you still need to keep some inline JavaScript mainly because not only for

performance page low latency things like that so in that case we probably won't be able to completely externalize all the inline JavaScript and CSS so what are the solutions are what are the other solution other solution is unsafe inline so that means you are relaxing the restrictions I would have seen the previous page by relaxing what all things can happen this is a primary way of exploiting accesses and you are loosening it up so so that that reduces ESP effectiveness so solution three is CSP to introduce script like listening features so script whitelisting feature there are two type of script white listening feature one is now space another is hash based so so the whole

idea is to identify our the valid JavaScript with an injector JavaScript so is that how we are doing they're using a script whitelisting the first option is now so what you are doing is inside scrip you put a random nouns nouns as an attribute and you put the nouns along with HTTP policy and pass it so the attacker cannot do this because they cannot add these random nouns into the CSP header in that way and that way attacker cannot exploit this so the problem here is for every page generator we need to create a new nouns so so you based on your side architects I may or may not be possible and another option is hashing so hashing is basically you

take the script and create an ash and stick their hash into the CSP policy so in that way our whitelist in the script so the problem here is every time you make changes to your JavaScript we need to recompute to the hash and place it on the CSP header so here is how the hash is computer like you take the content of the script you create a sha-1 or char to 256 and and got into base64 that's it so what are some of the common attacks and how CSP can help to mitigate it the first thing is a content scripting cross-site scripting so it provides from being exploited the cross-site scripting however it does not

fix the cross-site scripting so so you need to really differentiate between these two so you still need to use your common remedies what I mentioned like input validation output encoding but this is an additional layer of protection and it is also helpful in unapproved third-party beacons tag and contents so you probably add some trusted third-party tax in your application right so you can use CSP to white lace those tags in that case it will stop this third party from piggybacking fourth party tags so it's a very good tool and also have stricter control on what these tax can do on your site back up sniffing very interesting thing so you can also use this csv

policy to enforce https and completely remove the mixed content warnings kind of things so you can make use of this clickjacking use frame ancestors to specify valid parents so whom can frame your page for example login page you don't want is someone to frame your login page right something like that so this is an alternate option to explain option probably aware of this option and the next one is block unwanted plug-in so if your application except some plugins and if you are certain that you only accept certain type of plugins like I I only accept pdfs for example but no no other plugins are accepted in that case you can why Lisa spell means then that we can reduce attack

surface area so now if you want to deploy CSP then we need to also understand some browser behavior because first thing is feature completeness so so so we have CSP one and CSP too so not all bosses as a perder CSP to for example like if you want to use for my ancestors so actually it's a part of CSP to which is not supported in all the browsers so and Safari and edge so in that case you need to aware of that it is not hundred percent and implementation disparities so we have a standard but implementation slightly varies between a browsers for example like so for unsafe evil in Safari even though it flag a violation but in our

send a violation report to the airport you are right things like that so there are some disparity some minor things some differences between implementation of the policy on different browsers the mobile browsers that include tablets they are behind come back to their desktop counterparts so most of them support CSP one but even the chrome and opera in the mobile they don't have the CSP support yet at least when I tested last time so now you get into another section so CSP deployment so huh so now we learned about CSP and now we are going to deploy CSP so this is a kind of how you start with so most of the people have trouble with common with the

initial policy because they don't know what is the initial policy so the recommendation is ideally get some whitelisted get some identified domains you trust essentially an whitelist it and you can come up with a policy something similar to this it's just as an example you can put your trusted domains just a white Leisure domain here along with this this is a kind of a initial policy you can start with me so now how do you test it so one way is you need to make changes to application and test it so that is kind of time consuming and get a lot of effort so you can test CSP without making any code changes so there are

some browser extensions available to test this so one of the testing tool is Casper's written by my coworker Stewart laughs on so that's a very good tool basically so you can test the policy and let's see how we can test it so what you do is go to chrome store install the Casper there are the tools also and and you you get into your page where you want to apply the policy open Casper and put your policy in the Casper so what it does is whenever you visit the page again this policy will be applied to that page so now you go to your favorite application i chose gemini @ yahoo.com and this policy will be applied to the

page and if you go to the web console you can see some violations so i'll take a 2 violation example like hearsay refuse to load the script is trying to load this page is trying to load a script from this location so how do you fix it there are two ways one is either whitelist this domain if you trust this domain is this link a location then you whitelist it in your policy or the other option is take out the jaws curve and put it into the same domain so that that's how you solve the problem and the next one is refused execute inline script because it violates the following CSP directive so that's the latter day

inline JavaScript violation so how you solve that so we already talked about how you saw inline JavaScript so you either use either externalize of I JavaScript or you can use an ounce or hash basic white listing and the third option is relax the whole restriction using putting unsafe inline which is recommended but that way you can remove this violation so this is kind of rinse and repeat so you need to do the rinse and repeat this this effort for some time and until you come up with some policy so once you have the policy you can deploy it in your protection so let's talk about how we can deploy it in production so in the way the modern

application that built is using see I CD so you build your application you check in your code that get cic you build applications part of CA CD process it also go through some testing and finally get deploy into production so that's a kind of typical flow these days for all modern applications so so this another tool course ESP validated Rogge's so so it's a useful tool basically to date a kind of Miss configuration if the page got out of sync with the policy like the policy and the page are kind of different things actually so you are sitting a policy and let's say you are adding some more contents into your page and this tool actually can detect that

basically try to load the page and apply the policy and see any kind of Miss configuration and it will top the bill and the developer has to fix it it can continue it is not for detecting any attacks but this tool is mainly used to detect any kind of Miss convocation a page before hitting the protection so it's very useful to this is very simple tools it's a phantom Jess base script I just take the URL applies his policy and spit over that is it has any kind of violation or not so you're deploying your application to production now watch next so your user access your application let's say your application contain some kind of web vulnerability

and attackers trying to expert eight data to evil com so what will happen so I assume you have a relatively restricted policy that means the power will stop axia exfil taking data table calm and it also report a violation and the violation will be reported into your endpoints you specify in the report URI so in the report you are I basically you can do some kind of analysis but it's very challenging I I described a new chart Lee why it is very challenging but ideally you can get the report you can use the report identify some injection injection attack on titan section attack happen in the real time and you can practically fix it but in

reality what we encountered is we got our whole reporting endpoint got clogged with browser extension violations then we found somebody thought of a let's look into it then we chose one browser extension and try to install it and we try to install it it can this is what it's saying it can this extension can read change all your data and web site you visit this is a chrome warning actually so essentially the extension can do everything essentially one thing that one thing I really want to talk about extensions they have more privileges and permissions compared to the glover page on your host so this is a code which I got as part of extension JavaScript so you clearly say that this

file order in every web page and all we do is inject the chase tag to audie itself so basically they're injecting that some JavaScript to every page you visit so this is a code as part of the extension so now what I am doing I am going to be seated web page I'm going to be TCS be tested by you so the CSP tester all I yo contain if already have a policy and let's see here I open a web console you can see that that script actually mentioned the previous slide got injected in the in the in the web page so the script is actually get injected so this is this won't trigger any violation because by D for CSP is

exempted from bra extensions so that's the reason it won't complain about it however here you can see it is trying to load us from outside so there are two things here one is injecting the code it won't fire any violation but the next thing is it trying to load a script from from a different location which is different from self so that will fire a violation you can see here see CSP directive default size itself so refuse to load the script so that's how we are getting a lot of extension violations because it's injected script trying to load some external script into the Dom that actually fire the violation so to sum up extensions are considered as part of

trusted computing base is part of your browser itself they consider so it so it can interfere with your app application by injecting ads so injecting ads is a big problem because they are you have you when you visit a site this ad injection extension can put the ads on top of our page without the site operators permission and sometimes they over late or they just remove the actual ad with their ads all sort of things and the other one is malware and except I user information in the path we have seen a Chrome extension which are which are stealing user credentials and it can even after CSP header itself that's another thing so the CSP had whatever

you said he can actually modify it so that's another thing interesting thing and even if you are installing some extensions it may contain excessive vulnerabilities whether even the extensions are cluster that doesn't mean that everything is good because it may also connects our vulnerabilities and it will be much severe if you have an x-axis on extensions because they run in higher privileged mode compared to a regular web page and they can access all web pages which you visit and it generate large volume of CSP repo is basically clock was reporting end points and also because of this large volume in detecting the injection attack has become extremely hard because very hard to identify a browser Wiley extension

violation with a real injection attack so this is a CSP violation resource specific distribution of violations so you can see most of them are fifty-eight percent of the reports are a violation of script SRC and and the next one is as i age x cause like connect SRC and the third one is frame so is a kind of a general distribution of resource pacific violations the source is mail yahoo mail we run for as a report worldly mode for some bucket yeah so we receive millions of reports every day actually so I talk about CHP now so what is not so good side of CSP so so you need to really understand when when we talk about CSV

is good for Conda injection attack so it is partially true because it is mostly for cross-site scripting but it won't solve other content injection problems like sequel injections shell explode shell like sick or other server side injections so you need to really understand the limitation because you cannot do anything on this and loose policies make it CSP less effective especially if you are doing unsaved you al those kind of things or you only specify a white-white least for only certain resource type that means that also make it less effective and the browser extension they can override CSP policy they can essentially modify your CSV policy added more remove it all sort of things so so is less effective

against malaysia extension so if the extensions of it is smart they can actually remove the extension of CSP you head or together in that way you probably not even getting any violation reports it's an arms race kind of thing so right now we are getting a lot of reports maybe the extension they may become more smart then started removing the CSP headers and in that case you probably have no clue about what is happening with their application when it running on the browser so whitelisted locations are fully trusted so so you if you are a if you are operating a large website then probably need to use some Syrians right Syrians are kind of a shared

infrastructure share lot of assets owned by different different companies right so so now if you white Lisa CDN that means you're white listen hold them in depending upon the way you at least it can be dangerous because we just say CDN calm or start or CDN calm that means all the contents is part of the CDN you are trusting but actually you cannot trust that so you need to really aware of that and use a mechanisms like if you have a separate sub domain the CDN that you need to say the sub domain or CDN com or you can also use path mechanism to isolate and protect your assets so let's talk about CC best practices so the

first thing is made in code hygiene so you need to externalize the JavaScript and style out of HTML and keep it a separate files and use JavaScript even handler rather than embedding into HTML and second one is automation automation helps you a lot because when Co HTML file go out of sync then geez a tool you can use this to detect it for example down the line you have policy everything works fine down the line and for add some HTTP content but actually you bro your application is everything on HTTPS so this application candy typing set content warnings or you are adding some third party tags without whitelisting the csb this tool can detect that always use stricter policies

use HTTPS scheme always that way you're making sure that your application is everything on HTTPS so some the other day somebody else asking what is the difference between this with sts HST is so ssds is mainly applicable for a particular domain but if your page contain a lot of resource base load resources from multiple location that may not have access tears in that case won't be effective use path so path is a feature which added a CSP to is very useful tool because if especially if you are using some Syrians you can restrict a whitelist based on the path in that case only the assets water from this path is why pasted if any other asset

for example.com something else is not whitelisted so it's very useful tour our wild card is possible because same way like CDN case like you can have any kind of subdomains or tumblr any those kind of things there are many cases which is not a good idea so all enable reporting even or enforce mode that is also very important so so that's how you learn how your application work in browser so you expect your application work in certain wave but actually in the reality probably be completely different one other thing is let's say you have a dependency on a JavaScript framework which you hosted somewhere else that can pull another JavaScript which is where else were just kind of a chain reaction

is 11 script or another script kind of thing so you absolutely have no idea about how applications are behaving so this is kind of a CSP and some kind of reporting can really help to understand how your application work in the CSP waters you can do so we found that we are getting lot of violations reports so so one thing you can do is you can scan violation URLs formal ways that's another interesting thing you can use some virustotal or some other tools and we can pass the URL and see it is hosting any kind of malware in that way you can detect your user is kind of compromised or not you get some idea

about that that's an interesting thing probably you can use detect injection attacks in near real time so that's another thing so if some injection is happening some content injections of attacks are happening you can detect if you have a reporting endpoint enabled is very challenging right now because it's a lot of violations reports are from browser extension so is hard to distinguish between a real injection attack with what officer exchanged in violations and threat in the region so you can use as a kind of company wide and a threat intelligence you can use IPS and URLs for other purposes kind of nine so i'll talk about CSP testing tools so CSP tester dot iOS a tool which

you can use to test your policies across different browsers and it can also use to learn a house CSP work so is a very useful tool which we develop an open source so I recommend to take a look and the other one is a CSP validator you can use it you can modify in whatever way and deploy it in a see a CD that will check for any kind of CSP misconfigurations so-called Chrome browser plugin is also a useful tool if you want to initially come up with some policy is a very useful tool you can create a policy without making any changes to your application and can do much more than that so I will give you a

brief demo on chp test ratata you how it looks like I would walk

so this is an app or you can you can place your HTML code here and you can put your policy here so what will happen is your HTML will be rendered and applying the CSP policy so you don't have to you don't you don't have to really write HTML code there are a lot of pre Laura pre written tests available so if you go to the web CSP test there are a lot of death there are a lot of tests available for both CSP 1 and CSP too so if you want to just learn how CSP work you can again you can select one like can select view here and that will put your CSP that content here so what

you can do is you this is a policy you can put the policy here so the CSP policy in this case is defaults are seen on means your application is self-contained but if you look and to look into the application you can see there are some links external links so let's see how it work so I'm going to submit it so it will open a new tack in a new tab and render that HTML page in the frame and it will did it will also have another frame which basically report all the violations so it's very useful tool because if you want to test if you have a developer web console you can test it but there are many cases the

mobile web Android web console probably won't be available in that case is a very useful tool where you can just get into your mobile and see how it work so again under you can very easily know that what feature is supporting which browser so you just open it in your favorite browser and see how it behaves there are a lot of CSP to test also here so so frame allowed frame blocked product us here and here you can see image allowed image blocked

so so please take a look this very useful tool you can either learn and can also test on different browsers and see how would behave and the next one is CSP validator i will show you how it work it is a fan and a script so so I'm trying to run a fandom jscript

and see ok so this ESP validator I am just running on URL CSP tested or i/o which contain ACS content security policy self so let's see how it goes so you can see here there are no violation and let's check what is returning so it's returning zero means there are no violation is good to go so if you are setting the CI CD then if when you get is 0 that means you are good you can continue the other test let's try with some other CSP test I'll try I tried applying this so I am done I am running a test which actually generate some violation so it is the same test so i am taking the URL

ok and i am placing it here

and

oh ok

some shell problems essentially is the retaining 0 so now I am running with a page is contained violations let's see how it work so you can see here there are some three violations here is a violation block URI is another violation is another violation and actually you return to means there are some violations and all these violations you can see it here the web page so all this violation so it will detect the violation and report it this is very good if you have if you want to deter any kind of misconfigurations all right so so that's all about the demo and now to summarize so CSP work great for forcing contours HTTPS so if you want to

make sure they clear out all the mix at content warnings if you are an HTTPS shop then you can you see a speed to make sure that all your contents are on HTTPS very good effective to the next one is protection a click jacking so the frame ancestors very useful tool if you want to use against clickjacking it's not going to have any other issues and ability to exclude unwanted plugins so so plugins like if you don't want to run flash or if you want to if you don't want to run my Microsoft Silverlight those kind of thing you can exclude it again also only allow the plugins but you really support like PDFs example

cross-site scripting is a primary CSP is primarily for detecting cross-site scripting or mitigating precise scripting however it is a less perfect mainly because of extensions explained in detail why what is what other problem associated browser extensions lose policies we often tend to put Luis policy even even if you look into all the policy set by major for riders is relatively loose because the existing application a lot of rework to comply with CSP but if you are living a new application I would recommend you to put in nforce mode and tighten the policy and unsupported browser that's another thing but these are kind of temporary nature but going forward I'm really hopeful at CSP will be a very

effective mechanism to fight against excesses but this is a kind of interim state where it is less effective but it is not bad is improving certainly adds block third-party tags from piggybacking fourth party tag you can really control it and reporting is very effective or valuable feedback mechanism basically to detect accesses or real injection at I happen on your side and also detect al where adware malware kind of extensions so very useful tool at least for now until they started ripping out all our CSP headers it is not a solution to prevent other injection attacks like shells sequel and i will have injection exploits so overall is very promising but we are not reached estate was really

getting more effective but I'm hopeful that this will be a very good tool will have a better more effectiveness going forward with that I'm ending my session any questions I think we have in just one minute yeah

so most of the time your ass should be placed on iframes and many times it's not practical to why least your those apps because you don't know from where it is coming from so from that perspective you cannot really do that because let's say if you know case is coming from 100 different place you cannot put 100 locations UCSB header so that is not going to work however if you know that okay you only add some tags some beacon tax or some some something like you're adding some frames of a third party kind of thing that you can control so for advertising you just isolated that's the best way but it's still if you know that from where you're

at it add is coming you can control it depending upon you use case yeah any other questions all right thank you very much and I have a good day