Top 100 Content Security Policy (CSP) features

Tags

Content Security Policy (CSP) is an HTTP header that provides a robust mechanism to mitigate certain types of attacks, such as Cross-Site Scripting (XSS) and data injection. Here are the top 50 features and directives supported by CSP:

1-10: Basic Content Control Directives

  1. default-src: Sets a default policy for all resource types not explicitly mentioned in other directives.
  2. script-src: Specifies allowed sources for JavaScript.
  3. style-src: Specifies allowed sources for stylesheets.
  4. img-src: Defines valid sources for images.
  5. connect-src: Controls URLs that can be loaded using script interfaces (e.g., fetch, XMLHttpRequest).
  6. font-src: Defines valid sources for font resources.
  7. object-src: Specifies valid sources for the <object>, <embed>, and <applet> elements.
  8. media-src: Defines sources for <audio> and <video> elements.
  9. frame-src: Specifies valid sources for embedding <frame> and <iframe> content.
  10. worker-src: Specifies valid sources for Worker and SharedWorker scripts.

11-20: Advanced and Control Directives

  1. child-src: Controls resources for nested browsing contexts, like <frame> and <iframe>.
  2. form-action: Restricts the URLs to which forms can be submitted.
  3. frame-ancestors: Specifies valid parents that may embed the current page using <frame>, <iframe>, or <object>.
  4. sandbox: Applies restrictions to a page or frame, similar to the sandbox attribute on an <iframe>.
  5. plugin-types: Restricts the MIME types of plugins that can be loaded.
  6. base-uri: Restricts the URLs to which a document’s <base> element can point.
  7. manifest-src: Specifies allowed sources for manifest files.
  8. prefetch-src: Specifies valid sources for prefetching or prerendering.
  9. navigate-to: Limits the URLs the page can navigate to using links or redirects.
  10. require-trusted-types-for: Enforces the use of Trusted Types to prevent XSS.

21-30: Subresource Integrity and Input Restrictions

  1. block-all-mixed-content: Blocks all mixed content requests.
  2. upgrade-insecure-requests: Automatically upgrades HTTP requests to HTTPS.
  3. trusted-types: Defines policies that control which functions can create DOM objects from strings.
  4. report-uri: Specifies where violation reports are sent.
  5. report-to: Sends violation reports to a Reporting API endpoint.
  6. nonce-attribute: Allows the use of a nonce ('nonce-xxxx') to whitelist scripts or styles.
  7. strict-dynamic: Works with 'unsafe-inline' and nonces to allow only dynamically created scripts.
  8. unsafe-inline: Allows inline JavaScript and CSS (should be avoided in strict CSP).
  9. unsafe-eval: Allows the use of eval() and similar functions (should be avoided in strict CSP).
  10. self: A source keyword that allows loading from the same origin.

31-40: Source Control Keywords

  1. none: Disallows all content for the directive.
  2. unsafe-hashes: Allows the use of specific hashes for inline scripts.
  3. strict-origin: Restricts requests to the same origin, with a strict scheme.
  4. strict-origin-when-cross-origin: Allows restricted cross-origin requests while protecting sensitive data.
  5. data:: Allows inline data URIs (e.g., data:image/png).
  6. blob:: Allows blob: URLs.
  7. filesystem:: Allows filesystem: URLs.
  8. https:: Restricts resources to HTTPS sources.
  9. http:: (not recommended) Allows resources from insecure HTTP.
  10. ‘unsafe-inline-hashes’: Allows using hashes with inline code.

41-50: Reporting and Miscellaneous

  1. report-sample: Allows the browser to include sample code in reports.
  2. script-src-attr: Specifies valid sources for inline event handlers and script attributes.
  3. style-src-attr: Specifies valid sources for inline style attributes.
  4. style-src-elem: Specifies valid sources for <style> and <link> elements.
  5. script-src-elem: Specifies valid sources for external scripts.
  6. cross-origin-embedder-policy: Used for embedding security and cross-origin isolation.
  7. cross-origin-opener-policy: Prevents cross-origin communication between windows.
  8. cross-origin-resource-policy: Controls the sharing of resources with cross-origin requests.
  9. unsafe-hashes-with-fallback: Allows fallback behavior when using unsafe hashes.
  10. worker-src-attr: Allows customization of inline worker scripts.

Summary

These directives and features offer fine-grained control over the resources a web page can load. A well-implemented CSP reduces attack surfaces significantly, improving security against content-based attacks. Use tools like CSP Evaluator to analyze and optimize your CSP policies.

LinkedIn Reddit