惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Tenable Blog
博客园_首页
Vercel News
Vercel News
WordPress大学
WordPress大学
美团技术团队
G
Google Developers Blog
大猫的无限游戏
大猫的无限游戏
小众软件
小众软件
Y
Y Combinator Blog
博客园 - 【当耐特】
量子位
酷 壳 – CoolShell
酷 壳 – CoolShell
The Cloudflare Blog
T
The Blog of Author Tim Ferriss
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Google DeepMind News
Google DeepMind News
云风的 BLOG
云风的 BLOG
腾讯CDC
M
MIT News - Artificial intelligence
爱范儿
爱范儿
Recent Announcements
Recent Announcements
雷峰网
雷峰网
Last Week in AI
Last Week in AI
宝玉的分享
宝玉的分享
The Register - Security
The Register - Security
Jina AI
Jina AI
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Hugging Face - Blog
Hugging Face - Blog
P
Privacy & Cybersecurity Law Blog
Recorded Future
Recorded Future
Help Net Security
Help Net Security
N
News and Events Feed by Topic
博客园 - Franky
P
Proofpoint News Feed
L
LINUX DO - 热门话题
S
SegmentFault 最新的问题
The GitHub Blog
The GitHub Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
月光博客
月光博客
D
Docker
Google DeepMind News
Google DeepMind News
有赞技术团队
有赞技术团队
IT之家
IT之家
Security Latest
Security Latest
L
LangChain Blog
V
V2EX
阮一峰的网络日志
阮一峰的网络日志
J
Java Code Geeks

Mike West

Web Platform Security @ CMS Security Summit 2020 XSS (No, the _other_ Frontend Security - Frontend Conference, Zürich 2013 Debugging runtime errors with Securing the Client Side Chrome connects to three random domains at startup. Nerdy New Year Making Your Web Apps Accessible Using HTML5 and ChromeVox GDD Keynote: The HTML5 Demos
Content Security Policy: Feature Detection
Mike West · 2012-05-02 · via Mike West

AngularJS’s latest release candidate is the first framework I’ve seen that cleanly supports a content security policy that restricts usage of eval(), new Function(), and the like. I’m thrilled to see this happening, and it’s a testament to the priority that the Angular developers place on security. CSP is quite simply one the best XSS-protection mechanisms available to developers these days in modern browsers. The more frameworks that hop on board, the faster sites can start adopting CSP, and the safer we’ll all be on the net.

All that said, the implementation isn’t as complete as it could be. Angular requires that the developer manually opt into CSP-friendly mode via the ng-csp directive. This is error-prone at best, and introduces complexity that would be better hidden away inside the framework. The Angular developers recognize this shortfall, and are explicitly requesting some sort of feature detection API that would allow frameworks to query the currently active policy to determine its boundaries, and fork their implementation accordingly.

This does seem like a great addition to the spec; I’d suggest the following implementation:

Add document.[prefix]contentSecurityPolicy as an object that exists in browsers that support CSP. This would enable trivial feature detection of CSP as a whole, which would enable frameworks to make intelligent decisions about how to proceed through the following use cases:

  1. Is a policy enabled? If not, perhaps I’d like to set one via meta injection.

    document.contentSecurityPolicy.active is a boolean property: true if a policy is set, false otherwise.

  2. Can I execute eval() or use new Function()?

    document.contentSecurityPolicy.isWhitelisted('script-src', 'unsafe-eval') returns true if unsafe-eval has been defined for the script-src directive.

  3. Can I embed a data: image or frame?

    document.contentSecurityPolicy.isWhitelisted('image-src', 'data:') and document.contentSecurityPolicy.isWhitelisted('frame-src', 'data:')

  4. Can I include Google Analytics?

    document.contentSecurityPolicy.isWhitelisted('script-src', 'https://ssl.google-analytics.com') (Note that isWhitelisted should do the hard work of dealing with wildcards. This example should return true if *.google-analytics.com is whitelisted.)

  5. Are reports being sent? If so, where are they going?

    The document.contentSecurityPolicy.reportUri property is either undefined if no report-uri directive is set, and a URI if the directive is set.

This seems like a reasonable first pass at a strawman for discussion. Thanks to Paul Irish, Eric Bidelman, and Pete LePage for walking through this with me.

What do you think?