Sec24-04-CSP.pdf

Content Security Policy

postMessage:

Allowed generally

XMLHTTPRequest:

Same-origin policy: Allowed

Cross-origin: May make request, but cannot read (unless CORS flag set)

Image request:

Allowed generally

Isolate content from different origins

• Can send postMessage, embed image, or js
• But, cannot access document from cross origin

Libraries:

Works in Same-Origin, could have trojan horse

Same origin policy limitations:

Coarse, inflexible

Does not restrict actions within execution context

Does not prevent information leaks

Send data in image request

Cross-origin scripts act the same

Browsing Context

Web Workers

• Isolated thread, same origin, no DOM, send message with postMessage

Restricting Context

• Load HTML5 iframe sandbox
  • Directive sandbox has unique origin
  • sandbox allow-scripts allows JavaScript
• Content Security Policy (whitelist browser to only execute/render resources from specific resources)
  • Prevent and limit XSS
  • Restrict resource loading to white-list

Subresource Integrity

• Can check hash

HTTPS