CRV2 ClientSideCodeContSecPolicy

Content Security Policy (CSP).

Is an W3C specification offering the possbility to instruct the client browser from which location and/or which type of resources are allowed to be loaded. To define a loading behavior, the CSP specification use "directive" where a directive defines a loading behavior for a target resource type.

Directives can be specified using HTTP response header (a server may send more than one CSP HTTP header field with a given resource representation and a server may send different CSP header field values with different representations of the same resource or with different resources) or HTML Meta tag, the HTTP headers below are defined by the specs:


 * Content-Security-Policy : Defined by W3C Specs as standard header, used by Chrome version 25 and later, Firefox version 23 and later, Opera version 19 and later.


 * X-Content-Security-Policy : Used by Firefox until version 23, and Internet Explorer version 10 (which partially implements Content Security Policy).


 * X-WebKit-CSP : Used by Chrome until version 25

Risk
The risk with CSP can have 2 main sources:
 * 1) Policies misconfiguration,
 * 2) Too permissive policies.

This page lists useful security-related HTTP headers. In most architectures these headers can be set in web servers configuration (Apache, IIS), without changing actual application's code. This offers significantly faster and cheaper method for at least partial mitigation of existing issues, and an additional layer of defense for new applications.

References: Apache: http://httpd.apache.org/docs/2.0/mod/mod_headers.html IIS : http://technet.microsoft.com/pl-pl/library/cc753133(v=ws.10).aspx