4. is a new addition to the web platform that promises to
mitigate the risk of XSS attacks by giving admins control over the
data and code to be allowed to run on their site.
 Another layer to a website's defenses: browser-enforced
restrictions against external resources or unauthorized scripting.
 Extra response header instructs browsers to enforce a policy.
 Involves deciding what policies you want to enforce, and then
configuring them and using X-Content-Security-Policy to
establish your policy.

5. : best used as defense-in-depth.
: declarative policy that lets admins inform the client about
the sources from which the application expects to load resources.
 Mitigate XSS: Applications can declare that it only expects scripts
from trusted sources.
 Allows the client to detect and block malicious
scripts injected into the application by an
attacker.

6.  Often a non-trivial amount of work required to apply to an
existing web application.
 Move all inline scripts and style out-of-line.

7.  Applications opts into using by supplying a Content-
Security-Policy HTTP header.
 To supply a policy for an entire site, the server needs to supply a
policy with each resource representation

8.  You can use the X-Content-Security-Policy HTTP header to specify
your policy, like this:
X-Content-Security-Policy: policy
 The policy is a string containing the policy directives describing
your Content Security Policy.

9.  Common scenarios when writing your security policy

10.  All content to come from the site's own domain, excluding even
subdomains.
X-Content-Security-Policy: default-src 'self'
 Allow content from a trusted domain and all its subdomains.
X-Content-Security-Policy: default-src 'self' *.mydomain.com

11.  Allow users of a web application to include images from any
domain in their custom content, but to restrict audio or video
media to come only from trusted providers, and all scripts only to
a specific server that hosts trusted code.
X-Content-Security-Policy: default-src 'self'; img-src *; media-src
media1.com media2.com; script-src userscripts.example.com
 Content is only permitted from the document's original host, with
the following exceptions:
 Images may loaded from anywhere (note the "*" wildcard).
 Media is only allowed from media1.com and media2.com (and not from
subdomains of those sites).
 Executable script is only allowed from userscripts.example.com.

12.  Ensure content is loaded using SSL.
X-Content-Security-Policy: default-src https://onlinebanking.jumbobank.com
 Server only permits access to documents being loaded specifically over
HTTPS through the single domain onlinebanking.jumbobank.com.
 Allows HTML in email, as well as images loaded from anywhere,
but not JavaScript or other potentially dangerous content.
X-Content-Security-Policy: default-src 'self' *.mailsite.com; img-src

13.  Server delivers the policy to the user agent via an HTTP response
header.
Content-Security-Policy Header Field
 Content-Security-Policy header field is the preferred mechanism for
delivering a CSP policy.
"Content-Security-Policy:" 1#policy
 Server may send more than one HTTP header field named Content-
Security-Policy with a given resource representation.
 A server may send different Content-Security-Policy header field
values with different representations of the same resource or with
different resources.
 Receiving an HTTP response containing at least one Content-Security-
Policy header field, the user agent enforces each of the policies
contained in each such header field.

14.  Add header in the web server config:

15.  How a CSP enabled site looks like:

16.  Unless explicitly allowed by your policy incline scripts are not
executed:

17. : Defined by W3C Specs as standard header,
: Used by Firefox and Internet Explorer,
 X-WebKit-CSP : Used by Chrome.

18.  DEFCON Hacking Conference is using (x-content-security-
policy:default-src 'self')

19.  Facebook has started using [x-webkit-csp]

20. Questions?……..….NO …..………..OK