diff --git a/tex/references.bib b/tex/references.bib index 0b02c33..2cca0e5 100644 --- a/tex/references.bib +++ b/tex/references.bib @@ -357,7 +357,19 @@ institution = {International Organization for Standardization} booktitle = {Proceedings of the 5th ACM SIGSAC Conference on Computer and Communications Security (CCS '16)}, address = {New York, NY, USA}, doi = {10.1145/297674}, + isbn = {978-1-4503-4139-4/16}, + pages = {1376-1387}, year = 2016, } +@inproceedings{reininginCSP, + title = {{Reining in the Web with Content Security Policy}}, + author = {Sid Stamm and Brandon Sterne and Gervase Markham}, + booktitle = {Proceedings of the 19th International Conference on World Wide Web}, + address = {Raleigh, North Carolina, USA}, + isbn = {978-1-60558-799}, + pages = {921-930}, + year = 2010, +} + % =========================================================================== % diff --git a/tex/text.tex b/tex/text.tex index 19ce319..7a230ad 100644 --- a/tex/text.tex +++ b/tex/text.tex @@ -492,7 +492,8 @@ are parsed and displayed, which has been discussed in depth in previous sections. As per Weichselbaum et al.\ CSP is a mechanism designed to mitigate -XSS~\cite{longliveCSP}. It is a declarative policy mechanism that allows the +XSS~\cite{longliveCSP}, a long-lived king of the vulnerability +lists~\cite{reininginCSP}. It is a declarative policy mechanism that allows the website operator to decide what client-side resources can load and what origins are permitted. Scripts can be restricted to only load from a list of trusted domains and inline scripts can be blocked completely. The scripts can also be @@ -508,9 +509,19 @@ keyword and suffixed `-src', such as \texttt{script-src}, \texttt{img-src} or representing this group nicely. Sections are delimited using semicolons and each section can only appear once. Special values exist for the origin itself (\texttt{'self'}) and disallowing any source (\texttt{'none'}). A good CSP is -targeted and not overly broad. For instance, a website that loads no JavaScript -at all does not need to allow a popular CDN (Content Delivery Network) origin -in its \texttt{script-src}, instead it can be set to \texttt{'none'}. +targeted and not overly broad. To give an example, a website that loads no +JavaScript at all does not need to allow a popular CDN (Content Delivery +Network) origin in its \texttt{script-src}, instead it should be set to +\texttt{'none'}. CSP can also aid with clickjacking protection using its +\texttt{frame-ancestors} directive, which could limit origins that could be +embed the website, preventing attacker from embedding the website at random +places. + +Getting CSP right can be tricky at first but once grokked, it is relatively +straight-forward and can increase the security of the site greatly. There are +many more directives and settings than mentioned in this section, the author +encourages anybody interested to give it a read, e.g.\ at +\url{https://web.dev/csp/}. % =========================================================================== %