User Specified Content Security Policy

1

CSP Shield LogoThis summer I worked on a Google Summer of Code Project called User Specified Content Security Policy with Kailas Patil (CS PhD student at the National University of Singapore). We created a Firefox add-on called UserCSP that allows users and developers to apply custom Content Security Policies to websites.

A Content Security Policy is a declarative policy that restricts what content can load on a page.  Its primary purpose is to mitigate Cross-Site Scripting vulnerabilities.  The core issue exploited by Cross-Site Scripting (XSS) attacks is the lack of knowledge in web browsers to distinguish between content that’s intended to be part of web application, and content that’s been maliciously injected into web application.

To address this problem, CSP defines the Content-Security-Policy HTTP header that allows web application developers to create a whitelist of sources of trusted content, and instruct the client browsers to only execute or render resources from those sources.  However, it is often difficult for developers to write a comprehensive Content Security Policy for their website.  They may worry about breaking their page by blocking unanticipated but necessary content.  They may not be able to easily change the CSP header for their site, which makes it challenging for them to experiment with policies until they find one that best protects their page without breaking site functionality.

UserCSP changes this!  A developer can now view the current policy applied to their site and create their own custom policy.  They can choose to apply their custom policy on the site, or even combine their policy with the website’s existing policy.  When combining policies, they have an option to choose from the strictest subset of the two, or the most lax subset.  They can locally test their site with the custom policy applied and tweak the policy until they have one that works.

The coolest feature of UserCSP is the Infer-CSP tab.  This feature can help a developer derive a usable and secure policy for their site.  By looking at the content the website loads, the add-on determines the strictest set of CSP rules it can apply to the site without breaking the current page.  The inferred policy is provided in the proper syntax for the CSP Header, so all a developer needs to do is start serving this policy for their site via the CSP header.

Screenshot of Inferred Policy Tab on twitter.com

 

Security conscious users can also benefit from UserCSP.  They can protect themselves by disabling content such as objects on personal finance sites or frames and third party javascript for their web-email.  Here is an example, where you can see that a flash object used for an ad is blocked after the user applies a custom policy:

finance.yahoo.com before any Content Security Policy is applied

 

User specifies CSP, setting object-src to none, so that plugins won’t load on the page

 

Once the user policy is applied, the plugins can’t load and the ads are no longer on the page

We are looking to improve UserCSP, and are open to comments, suggestions, and reviews.  I feel like we have only scratched the surface with this tool.  We hope that after trying out the add-on, the security community will come up with ideas to further enhance it.  The code is open source and can be found on Github.  Check out the add-on and let us know what you think!

UserCSP Add-on: https://addons.mozilla.org/en-US/firefox/addon/newusercspdesign/
UserCSP Code (Open Source): https://github.com/patilkr/userCSP
UserCSP Documentation: https://wiki.mozilla.org/SummerOfCode/2012/UserCSP/Wiki

 

Categories: Browser Security

One response {+}

  1. mike wrote on :

    bloch all website usage

    Reply

Post Your Comment