In association with heise online

The first step is not the hardest

A web server defines a Content Security Policy via a web page's HTTP header. For Apache servers, the easiest way to specify the header is by using the htaccess file, which is located in the same folder as, or the parent folder of, the web page to be served. A simple policy conforming to version 1.0 of the CSP specification can be implemented by adding the following lines to the htaccess file:

Header set Content-Security-Policy "default-src 'self'"

At present, it is principally Chrome users who will benefit from this, as it is Google's Chrome browser which has pioneered CSP support. Firefox and Safari currently interpret most commands as specified in X-Content-Security-Policy/X-Webkit-CSP, a forerunner to CSP proper. Until they implement CSP, additional protection for Firefox and Safari users can be achieved by instructing servers to serve the following variants in parallel:

Header set X-Content-Security-Policy "default-src 'self'"
Header set X-Webkit-CSP "default-src 'self'"

If you believe the latest browser statistics, the measures described above will benefit around 70 per cent of web users. Since version 10, Internet Explorer has supported just one CSP feature: the sandbox. Opera has not yet been taught how to deal with CSP headers. That should, however, change with the forthcoming switch to the WebKit engine, also used by Chrome and Safari.

The fact that CSP headers are not yet supported by all browsers is no reason to hold back on implementing them. CSP headers are fully backward compatible. If a browser ignores the policy, web pages remain fully functional, merely missing out on the additional protection offered by CSP.

CSP violation
Zoom In the event of a policy infringement, the browser produces natural language output, facilitating debugging when compiling a policy.
Users who wish to employ this protective feature on a test basis only should append -Report-Only to the header name. With this option in place, a browser will not block policy infringements, but, as in normal mode, will report any policy infringements in the console. In Chrome and Firefox, the console can be accessed using CTRL+SHIFT+J or via the menu. The reports are gratifyingly thorough and provide useful assistance when developing an individual security policy. Note, however, that some of the errors reported may be ascribable to browser add-ons which manipulate source code on a web page and infringe the CSP in the process.

Next page: Making exceptions

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit