menu

The information in our interactive Radar is currently only available in English. To get information in your native language, please download the PDF here.

Techniques

Content Security Policies

ARCHIVED BLIP
Please be aware that we have archived this blip and are no longer actively keeping the information updated. The current edition of the radar only features items that we feel are new or noteworthy.Understand more
ASSESS?

We are finding Content Security Policies to be a helpful addition to our security toolkit when dealing with websites that pull assets from mixed contexts. The policy defines a set of rules about where assets can come from (and whether to allow inline script tags). The browser then refuses to load or execute JavaScript, CSS or images that violate those rules. When used in conjunction with good practices, such as output encoding, it provides good mitigation for XSS attacks. Interestingly, the optional endpoint for posting JSON reports of violations is how Twitter discovered that ISPs were injecting HTML or JavaScript into their pages.

History for Content Security Policies

Nov 2016
Assess?

We are finding Content Security Policies to be a helpful addition to our security toolkit when dealing with websites that pull assets from mixed contexts. The policy defines a set of rules about where assets can come from (and whether to allow inline script tags). The browser then refuses to load or execute JavaScript, CSS or images that violate those rules. When used in conjunction with good practices, such as output encoding, it provides good mitigation for XSS attacks. Interestingly, the optional endpoint for posting JSON reports of violations is how Twitter discovered that ISPs were injecting HTML or JavaScript into their pages.

Apr 2016
Assess?