Blocking XSS attacks with Content Security Policy

  • Monday, 22 Jun 2015 3:00PM EDT (22 Jun 2015 19:00 UTC)
  • Speaker: Gregory Leonard

Cross-Site Scripting (XSS), a form of injection attack where malicious scripts are injected into a web site's content, is a long-standing problem for application development teams. With modern web sites becoming more reliant upon third party sources for delivering content, the risk of XSS attacks remains high, and the number of attack vectors continues to grow. To combat these attacks, the Web Application Security working group of the World Wide Web Consortium (W3C) has introduced the Content Security Policy (CSP) header. This header, when added to the response of a web page, provides directives for a web browser on how to manage web content, and which sources are allowed to provide that content. This presentation will discuss Content Security Policy and what protections it can provide, along with a demonstration of how applying the CSP header to a web site can provide strong XSS protection.