reining in the web with content security policy
play

Reining in the Web with Content Security Policy Sid Stamm Brandon - PowerPoint PPT Presentation

Oct 23, 2022 •218 likes •605 views

Reining in the Web with Content Security Policy Sid Stamm Brandon Sterne Gervase Markham Mozilla Mash-ups Anyone? But how do I stop malicious content? Content Injection DOM attacks and Defacement XSS All your page is belong to us!

  1. Reining in the Web with Content Security Policy Sid Stamm Brandon Sterne Gervase Markham Mozilla

  2. Mash-ups Anyone? But how do I stop malicious content?

  3. Content Injection DOM attacks and Defacement

  4. XSS All your page is belong to us!

  5. Filtering is Hard! <DIV STYLE="background-image:\0075\0072\006C\0028'\006a \0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c \0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"> <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")> <A HREF="h tt p://6&#9;6.000146.0x7.147/">XSS</A>

  6. Mutual Approval can be Expensive! may I? policy NO! may I? Really? ask bob NO! He said no.

  7. In-Band Policies are Dangerous! Javascript that polices itself? Is that like an application that tells you if it is a virus?

  8. Goals • Control of Site Content • Protection against XSS • Clickjacking Avoidance • Increased Security • Feasible Use

  9. Control of Site Content Document “Good” behavior... Suppress the “Bad”

  10. Grabbing the Reins • Content Rules & Regulations • Specify a “Normal Behavior” Policy • Catch and Block Violations <HTML> Content Policy Specify Rules Enforce Rules

  11. Part 1: Smooth Edges • Scripts served in files (not inline) - “javascript:” URIs - <tag on*=...> event registration - text nodes in <script> tags • Establish Code / Data Separation - eval(“foo”) and friends

  12. Part 2: Content Restrictions • Block requests for all resources ... unless explicitly allowed by a policy!

  13. CSP: Policies HTTP Response Header X-CONTENT-SECURITY-POLICY Directives to enforce listed within

  14. Speed Bump <meta http-equiv=....> ? • Designers may not have access to HTTP • Two entities want restrictions • Multiple policies?

  15. Speed Bump Intersecting Policies Given Policies P1 and P2: P e = {u | P 1 allows u AND P 2 allows u}

  16. Speed Bump <meta http-equiv=....> ? • policy in-band is too dangerous • Multiple header instances!

  17. CSP: Directives report-uri source directives policy-uri options

  18. CSP: Source Directives allow (default for these) img-src font-src media-src xhr-src script-src frame-ancestors object-src style-src frame-src

  19. Speed Bump • ‘self’ ... in pieces? https://‘self’:443 ‘self’://foo.com foo.com:‘self’

  20. ‘self’ ‘self‘ -> http://foo.com:80 bar.com:8080 -> http://bar.com:8080 http://foo.com -> http://foo.com:80 bar.com -> http://bar.com:80

  21. Speed Bump • Redirects http://foo.com http://bar.com http://duh.com

  22. Goals (revisited) • Control of Site Content • Protection against XSS • Clickjacking Avoidance • Only Increased Security • Feasible Use

  23. Goals (revisited) • Control of Site Content Expressive white-list policy language

  24. Goals (revisited) • Protection against XSS Only load scripts in external (whitelisted) files

  25. Goals (revisited) • Clickjacking Avoidance frame-ancestors

  26. Goals (revisited) • Only Increased Security Declarative syntax that can only reduce capabilities

  27. Goals (revisited) • Feasible Use (1) Built into Firefox nightlies (2) Deployed as patch for for Mozilla Add-Ons site (3) In progress for Wordpress http://core.trac.wordpress.org/ticket/10237

  28. Beneficial Effects • Content homogenization (mixed content control) • Data exfiltration (and CSRF) reduction • Violation reports = early alert

  29. CSP: Use Case 1 allow ‘self’ • Site wants all content to come from the same source (scheme, host, port)

  30. CSP: Use Case 2 allow ‘self’; frame-src ads.net • Site wants all content to come from the same source (scheme, host, port), except content in iframes may be served by a third-party advertising network.

  31. CSP: Use Case 3 allow ‘self’; img-src *; \ object-src *.teevee.com; \ script-src myscripts.com • Auction site wants to allow images from anywhere, plugin content from a trusted media provider network, and scripts only from its server hosting sanitized JavaScript

  32. CSP: Use Case 4 allow https://*.x.com; • Example site wants to force all content to be served via HTTPS on port 443, from any subdomain of example.com

  33. Wait! That breaks my site! • Good Option: convert your site • Less Good Option: disable parts of CSP

  34. Ramping Up • Disable some restrictions via options • Report-Only mode • “Writing a Policy” guide • “Converting your Site” guide • Maybe a policy recommendation tool?

  35. Wordpress

  36. Wordpress

  37. More Stuff • Specification: https://wiki.mozilla.org/Security/CSP/Specification • Nightly Firefox Now With http://nightly.mozilla.org CSP!!! • Progress: https://bugzilla.mozilla.org/show_bug.cgi?id=csp

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies Sebastian

Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies Sebastian

Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies Sebastian Roth , Timothy Barron, Stefano Calzavara, Nick Nikiforakis &amp; Ben Stock Network and Distributed System Security Symposium (NDSS '20) Cross-Site

878 views • 31 slides
Firefox Security Sid Stamm &lt;sid@mozilla.com&gt; Browser as a Protector Protect Site

Firefox Security Sid Stamm &lt;sid@mozilla.com&gt; Browser as a Protector Protect Site

Firefox Security Sid Stamm &lt;sid@mozilla.com&gt; Browser as a Protector Protect Site Content Safe Platform Third-Party Features Keeping your Secrets Content Restrictions Content Security Policy Content Restrictions Document

560 views • 43 slides
Coordination of Social Security Systems in Europe 1 Content of the study Key principles and

Coordination of Social Security Systems in Europe 1 Content of the study Key principles and

Policy Department A: Economic and Scientific Policy Stefano Giubboni Fondazione Giacomo Brodolini Coordination of Social Security Systems in Europe 1 Content of the study Key principles and aims of SSC in EU Assessment of current SSC

463 views • 25 slides
Cybersecurity R&amp;D&amp;I in H2 0 2 0 Martin Mhleck Trust and Security, DG Communications

Cybersecurity R&amp;D&amp;I in H2 0 2 0 Martin Mhleck Trust and Security, DG Communications

Cybersecurity R&amp;D&amp;I in H2 0 2 0 Martin Mhleck Trust and Security, DG Communications Networks, Content and Technology European Commission EU Policy Cyber Security EU Cyber Security Strategy Resilience International cybercrime

264 views • 13 slides
Explore the Enterprise Security Content Updates app 1. Navigate to the Content Library from

Explore the Enterprise Security Content Updates app 1. Navigate to the Content Library from

Explore the Enterprise Security Content Updates app 1. Navigate to the Content Library from the navigation bar. This is typically the landing page. 2. Ensure Analytic Stories Stats tab is selected. 3. Review the contents to identify

278 views • 3 slides
Document Hierarchy of Information Security Corporate Security Policy Policy General commitment

Document Hierarchy of Information Security Corporate Security Policy Policy General commitment

Document Hierarchy of Information Security Corporate Security Policy Policy General commitment to Information Security General commitment to Information Security Installation of CorpSec Enabling CSO Installing Information Security Standard

355 views • 8 slides
Web Security CS 161: Computer Security Prof. Raluca Ada Popa March 15, 2018 Some content

Web Security CS 161: Computer Security Prof. Raluca Ada Popa March 15, 2018 Some content

Web Security CS 161: Computer Security Prof. Raluca Ada Popa March 15, 2018 Some content adapted from materials by David Wagner or Dan Boneh What is the Web? A platform for deploying applications and sharing information, portably and securely

790 views • 47 slides
Patented Object Level DRM, e-Commerce, Content Security and Tracking Centralized Content

Patented Object Level DRM, e-Commerce, Content Security and Tracking Centralized Content

Patented Object Level DRM, e-Commerce, Content Security and Tracking Centralized Content Infrastructure High overhead, marketing and support costs The New Content Infrastructure Decentralized, Low to No Overhead The Business Model for

373 views • 36 slides
South Africa Case study Limpopo Content I. Project introduction II. Methodology III. General

South Africa Case study Limpopo Content I. Project introduction II. Methodology III. General

Food security vulnerability in South Africa Case study Limpopo Content I. Project introduction II. Methodology III. General results IV. Food security determinants V. Policy priorities Content I. Project introduction II. Methodology

705 views • 47 slides
Update on Security Policy David Kelsey (RAL) 7 Mar 2010 Security Workshop @ ISGC 2010,

Update on Security Policy David Kelsey (RAL) 7 Mar 2010 Security Workshop @ ISGC 2010,

Update on Security Policy David Kelsey (RAL) 7 Mar 2010 Security Workshop @ ISGC 2010, Taipei david.kelsey at stfc.ac.uk Overview Why do we need security policies? Joint Security Policy Group (JSPG) Some history

408 views • 28 slides
Theoretical approaches to the many-body electronic problem: an introduction Lucia Reining

Theoretical approaches to the many-body electronic problem: an introduction Lucia Reining

Theoretical approaches to the many-body electronic problem: an introduction Lucia Reining Palaiseau Theoretical Spectroscopy Group Theoretical approaches to the many-body electronic problem: an introduction Theoretical Spectroscopy: aims

1.73k views • 111 slides
Web Security CSP and Web Cryptography Habib Virji Samsung Open Source Group

Web Security CSP and Web Cryptography Habib Virji Samsung Open Source Group

Web Security CSP and Web Cryptography Habib Virji Samsung Open Source Group habib.virji@samsung.com FOSDEM 2015 Agenda Why Web Security Cross site scripting Content security policy (CSP) CSP Directives and reporting

718 views • 44 slides
Joomla! Security Useful security tips for your website, by RSJoomla.com Content: 1.Most common

Joomla! Security Useful security tips for your website, by RSJoomla.com Content: 1.Most common

Joomla! Security Useful security tips for your website, by RSJoomla.com Content: 1.Most common attack points 2.Joomla! components 3.What can you do to protect yourself 4.Backing up your files and DB 5.Tools that hackers use 1. Most common

422 views • 17 slides
THE INDUSTRIAL POLICY Content: 1. VIETNAM GROWTH PATTERN 2. THE INDUSTRIAL POLICY 3. MAJOR

THE INDUSTRIAL POLICY Content: 1. VIETNAM GROWTH PATTERN 2. THE INDUSTRIAL POLICY 3. MAJOR

THE L2C VIETNAM SCOPING PAPER: THE INDUSTRIAL POLICY Content: 1. VIETNAM GROWTH PATTERN 2. THE INDUSTRIAL POLICY 3. MAJOR RESULTS AND ISSUES OF THE INDUSTRIAL POLICY 4. LESSONS LEARNT FROM VIETNAM Nguyen Thi Tue Anh Helsinki, 24-25 June,

222 views • 21 slides
and Advocacy in Alaska Outline: Framing Food Security/Insecurity Food Security in Alaska

and Advocacy in Alaska Outline: Framing Food Security/Insecurity Food Security in Alaska

Anti-Hunger Policy and Advocacy in Alaska Outline: Framing Food Security/Insecurity Food Security in Alaska Federal Policy and Advocacy State Policy and Advocacy SNAP FINI Grant Useful Reports Policy

852 views • 12 slides
Security as a Architectural Concern Reid Holmes [TAILOR ET AL.] NFP: Security Security:

Security as a Architectural Concern Reid Holmes [TAILOR ET AL.] NFP: Security Security:

Material and some slide content from: - Software Architecture: Foundations, Theory, and Practice - Krzysztof Czarnecki Security as a Architectural Concern Reid Holmes [TAILOR ET AL.] NFP: Security Security: The protection a ff orded a

160 views • 4 slides
About me Trevor Bryant Security minded DevOps nerd Knight of NIST Auditor,

About me Trevor Bryant Security minded DevOps nerd Knight of NIST Auditor,

About me Trevor Bryant Security minded DevOps nerd Knight of NIST Auditor, Analyst, Engineer, Architect Tech policy Instructor @DC_TOOOL Conference Organizer / Volunteer apporima.com @apporima api_security I

204 views • 17 slides
Project INfrastructures for the Future Internet commuNITY Erik Rodenbach COST Exploratory

Project INfrastructures for the Future Internet commuNITY Erik Rodenbach COST Exploratory

Introduction to the Infinity Project INfrastructures for the Future Internet commuNITY Erik Rodenbach COST Exploratory Workshop on Smart Cities , 26 -27 Sep 2011, Paris Background and Overview of FI-PPP Supporting programmes that accelerate

183 views • 17 slides
W l Welcome! ! The webinar will begin at The webinar will begin at 12:00 Eastern/9:00 Pacific

W l Welcome! ! The webinar will begin at The webinar will begin at 12:00 Eastern/9:00 Pacific

W l Welcome! ! The webinar will begin at The webinar will begin at 12:00 Eastern/9:00 Pacific Audio Tips Todays audio is streaming to your computers speakers or headphones. Too loud or soft? Adjust volume level in the Audio broadcast

502 views • 38 slides
PROGRAMME 6.15pm Welcome &amp; Briefing by Associate Chair (Academic) Introduction to NTU

PROGRAMME 6.15pm Welcome &amp; Briefing by Associate Chair (Academic) Introduction to NTU

PROGRAMME 6.15pm Welcome &amp; Briefing by Associate Chair (Academic) Introduction to NTU Libraries Resources and Access by 6.30pm Mr Law Loo Shien (CMIL) 6.45pm Proceed to Programme Briefing (venues): Info Studies &amp; Knowledge Management

950 views • 22 slides
Browser Security Part 2 Recap XSS 3 different types Common aim/theme Steal user

Browser Security Part 2 Recap XSS 3 different types Common aim/theme Steal user

Browser Security Part 2 Recap XSS 3 different types Common aim/theme Steal user credentials (session ID, cookies, etc.) CSRF Cross-Site Request Forgery is an attack that forces an end user to execute unwanted actions on a

428 views • 23 slides
User authentication on the web Joseph Bonneau

User authentication on the web Joseph Bonneau

User authentication on the web Joseph Bonneau Computer Laboratory Part II Security lecture 2012 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 1 / 41

1.72k views • 132 slides
Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security Information Systems Course Business Course site: https://67327.cmuis.net Schedule Reading Assignments in-class labs -- laptops w/ 272

1.31k views • 11 slides
Search Snippet Evaluation Mikhail Lebedev, Pavel Braslavski, Denis Savenkov CLEF 2011 CLEF 2011

Search Snippet Evaluation Mikhail Lebedev, Pavel Braslavski, Denis Savenkov CLEF 2011 CLEF 2011

Search Snippet Evaluation Mikhail Lebedev, Pavel Braslavski, Denis Savenkov CLEF 2011 CLEF 2011 What is a snippet What is a snippet # Why is it so important Why is it so important Search is ranking &amp; representation Bad snippets spoil good

359 views • 19 slides

More recommend