tex: add more CSP stuff
This commit is contained in:
parent
2f0cf28396
commit
4b37b919d9
SSH Key Fingerprint:
SHA256:Dp8+iwKHSlrMEHzE3bJnPng70I7LEsa3IJXRH/U+idQ
|
|
@ -357,7 +357,19 @@ institution = {International Organization for Standardization}
|
|||
booktitle = {Proceedings of the 5th ACM SIGSAC Conference on Computer and Communications Security (CCS '16)},
|
||||
address = {New York, NY, USA},
|
||||
doi = {10.1145/297674},
|
||||
isbn = {978-1-4503-4139-4/16},
|
||||
pages = {1376-1387},
|
||||
year = 2016,
|
||||
}
|
||||
|
||||
@inproceedings{reininginCSP,
|
||||
title = {{Reining in the Web with Content Security Policy}},
|
||||
author = {Sid Stamm and Brandon Sterne and Gervase Markham},
|
||||
booktitle = {Proceedings of the 19th International Conference on World Wide Web},
|
||||
address = {Raleigh, North Carolina, USA},
|
||||
isbn = {978-1-60558-799},
|
||||
pages = {921-930},
|
||||
year = 2010,
|
||||
}
|
||||
|
||||
% =========================================================================== %
|
||||
|
|
|
|||
19
tex/text.tex
19
tex/text.tex
|
|
@ -492,7 +492,8 @@ are parsed and displayed, which has been discussed in depth in previous
|
|||
sections.
|
||||
|
||||
As per Weichselbaum et al.\ CSP is a mechanism designed to mitigate
|
||||
XSS~\cite{longliveCSP}. It is a declarative policy mechanism that allows the
|
||||
XSS~\cite{longliveCSP}, a long-lived king of the vulnerability
|
||||
lists~\cite{reininginCSP}. It is a declarative policy mechanism that allows the
|
||||
website operator to decide what client-side resources can load and what origins
|
||||
are permitted. Scripts can be restricted to only load from a list of trusted
|
||||
domains and inline scripts can be blocked completely. The scripts can also be
|
||||
|
|
@ -508,9 +509,19 @@ keyword and suffixed `-src', such as \texttt{script-src}, \texttt{img-src} or
|
|||
representing this group nicely. Sections are delimited using semicolons and
|
||||
each section can only appear once. Special values exist for the origin itself
|
||||
(\texttt{'self'}) and disallowing any source (\texttt{'none'}). A good CSP is
|
||||
targeted and not overly broad. For instance, a website that loads no JavaScript
|
||||
at all does not need to allow a popular CDN (Content Delivery Network) origin
|
||||
in its \texttt{script-src}, instead it can be set to \texttt{'none'}.
|
||||
targeted and not overly broad. To give an example, a website that loads no
|
||||
JavaScript at all does not need to allow a popular CDN (Content Delivery
|
||||
Network) origin in its \texttt{script-src}, instead it should be set to
|
||||
\texttt{'none'}. CSP can also aid with clickjacking protection using its
|
||||
\texttt{frame-ancestors} directive, which could limit origins that could be
|
||||
embed the website, preventing attacker from embedding the website at random
|
||||
places.
|
||||
|
||||
Getting CSP right can be tricky at first but once grokked, it is relatively
|
||||
straight-forward and can increase the security of the site greatly. There are
|
||||
many more directives and settings than mentioned in this section, the author
|
||||
encourages anybody interested to give it a read, e.g.\ at
|
||||
\url{https://web.dev/csp/}.
|
||||
|
||||
|
||||
% =========================================================================== %
|
||||
|
|
|
|||
Reference in New Issue