Content Security Policy"

From Documentation
m (remove empty version history (via JWB))
 
(23 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 +
{{ZKDevelopersReferencePageHeader}}
 +
 +
 +
 +
 
= What is Content security policy?=
 
= What is Content security policy?=
Content-security-policy (CSP) is a security mechanism which helps web applications to prevent XSS attacks (cross-site scripting) and other content injection attacks.
+
Content-security-policy (CSP) is a security standard introduced to prevent XSS attacks (cross-site scripting) and other content injection attacks.
  
To reduce those injection risks, CSP declares permissions to load script from specific, trusted sources.
+
To reduce those injection risks, CSP provides a way for web applications and website owners to declare permissions for loading scripts from only approved and trusted sources.
We could configure our web server to return the CSP HTTP header, or use <meta> element.
+
To enable CSP, you can either configure your web server to return the CSP HTTP header, or use the <meta> element.
  
 
See more: [https://www.w3.org/TR/CSP2/ Content Security Policy Level 2]
 
See more: [https://www.w3.org/TR/CSP2/ Content Security Policy Level 2]
  
== How to use Content security policy?==
+
= How to use Content security policy? =
To use CSP in your web application, the first thing you need to know that not all the browsers support CSP.
+
To use CSP in your web application, the first thing you need to know is that not all the browsers support CSP.
 +
 
 
(Support browsers: [https://caniuse.com/#feat=contentsecuritypolicy Content Security Policy 1.0], [https://caniuse.com/#feat=contentsecuritypolicy2 Content Security Policy Level 2])  
 
(Support browsers: [https://caniuse.com/#feat=contentsecuritypolicy Content Security Policy 1.0], [https://caniuse.com/#feat=contentsecuritypolicy2 Content Security Policy Level 2])  
  
There are several "directive" recommended to be defined, which is in order to protect against XSS attacks.
+
To enable CSP, you can either configure your web server to return the CSP HTTP header, or use the <meta> element. The following "directives" are recommended to be defined, which is for protecting against XSS attacks. For complete information please reference [https://www.w3.org/TR/CSP/ CSP official documents].
  
1. default-src
+
== 1. default-src ==
  
The default-src is the default policy for loading content such as Javascript, CSS, fonts, etc. .
+
The default-src is the default policy for loading content such as Javascript, CSS, fonts, etc.
  
2. script-src / style-src / img-src / font-src
+
== 2. script-src / style-src / img-src / font-src ==
  
 
Defines valid sources of JavaScript/stylesheets/images/fonts.
 
Defines valid sources of JavaScript/stylesheets/images/fonts.
  
3. connect-src
+
== 3. connect-src ==
  
 
Applies to AJAX, WebSocket or EventSource.
 
Applies to AJAX, WebSocket or EventSource.
  
4. child-src
+
== 4. child-src ==
  
 
Governs the creation of nested browsing contexts as well as Worker execution contexts.  
 
Governs the creation of nested browsing contexts as well as Worker execution contexts.  
  
 
'''Examples'''
 
'''Examples'''
 +
 
1. Only allows loading resources from the same origin.
 
1. Only allows loading resources from the same origin.
 
<source lang="xml">
 
<source lang="xml">
Line 40: Line 47:
 
</source>
 
</source>
  
== Use Content security policy in ZK==
+
= Using Content Security Policy in ZK=
CSP is not fully supported in ZK, because we still need to use some 'unsafe-eval' and 'unsafe-inline' declaration when loading scripts and CSS from ZK.
+
We don't suggest applying too strict CSP to ZK, because internally ZK still needs to use some 'unsafe-eval' and 'unsafe-inline' declarations when loading scripts and CSS files. However, you can still use CSP in ZK to enhance supported parts and make your application safer than before. Here's an example of a relaxed policy used in a ZK application:
Which means that there still are risks when attackers use eval() script or inline scripts.
 
  
But you can still use CSP in ZK by declaring the following directives.
 
'''Example'''
 
 
<source lang="xml">
 
<source lang="xml">
 
<?header name="Content-Security-Policy-Report-Only"
 
<?header name="Content-Security-Policy-Report-Only"
    value="default-src 'none'; script-src 'self' 'unsafe-eval'; frame-src 'self'; connect-src 'self' ws://your.server.name:8080/;
+
value="default-src 'none';
    img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self';" ?>
+
script-src 'self' 'unsafe-inline' 'unsafe-eval';
 +
frame-src 'self';
 +
connect-src 'self' ws://your.server.name:8080/;
 +
img-src 'self';
 +
style-src 'self' 'unsafe-inline';
 +
font-src 'self'" ?>
 
</source>
 
</source>
 +
* Using [https://www.zkoss.org/wiki/ZUML_Reference/ZUML/Processing_Instructions/header <?header ?>] to specify a response header.
 +
 +
 +
 +
{{ZKDevelopersReferencePageFooter}}

Latest revision as of 10:24, 5 February 2024


DocumentationZK Developer's ReferenceSecurity TipsContent Security Policy
Content Security Policy




What is Content security policy?

Content-security-policy (CSP) is a security standard introduced to prevent XSS attacks (cross-site scripting) and other content injection attacks.

To reduce those injection risks, CSP provides a way for web applications and website owners to declare permissions for loading scripts from only approved and trusted sources. To enable CSP, you can either configure your web server to return the CSP HTTP header, or use the <meta> element.

See more: Content Security Policy Level 2

How to use Content security policy?

To use CSP in your web application, the first thing you need to know is that not all the browsers support CSP.

(Support browsers: Content Security Policy 1.0, Content Security Policy Level 2)

To enable CSP, you can either configure your web server to return the CSP HTTP header, or use the <meta> element. The following "directives" are recommended to be defined, which is for protecting against XSS attacks. For complete information please reference CSP official documents.

1. default-src

The default-src is the default policy for loading content such as Javascript, CSS, fonts, etc.

2. script-src / style-src / img-src / font-src

Defines valid sources of JavaScript/stylesheets/images/fonts.

3. connect-src

Applies to AJAX, WebSocket or EventSource.

4. child-src

Governs the creation of nested browsing contexts as well as Worker execution contexts.

Examples

1. Only allows loading resources from the same origin. 

default-src 'self';

2. Allows loading scripts from the same origin and Google Analytics. 

script-src 'self' www.google-analytics.com;

Using Content Security Policy in ZK

We don't suggest applying too strict CSP to ZK, because internally ZK still needs to use some 'unsafe-eval' and 'unsafe-inline' declarations when loading scripts and CSS files. However, you can still use CSP in ZK to enhance supported parts and make your application safer than before. Here's an example of a relaxed policy used in a ZK application: 

<?header name="Content-Security-Policy-Report-Only"
		value="default-src 'none';
		script-src 'self' 'unsafe-inline' 'unsafe-eval';
		frame-src 'self';
		connect-src 'self' ws://your.server.name:8080/;
		img-src 'self';
		style-src 'self' 'unsafe-inline';
		font-src 'self'" ?>




Last Update : 2024/02/05

Copyright © Potix Corporation. This article is licensed under GNU Free Documentation License.


Retrieved from "https://www.zkoss.org/_w/index.php?title=ZK_Developer%27s_Reference/Security_Tips/Content_Security_Policy&oldid=56821"