Difference between revisions of "Talk:Content Security Policy"

From OWASP
Jump to: navigation, search
(discussion of the CSP page)
 
m (answer to remarks)
 
(One intermediate revision by one user not shown)
Line 4: Line 4:
  
 
I think this does not make it clear that unsafe-inline removes a lot of anti-XSS protection and therefore most of the benefits of using the CSP.
 
I think this does not make it clear that unsafe-inline removes a lot of anti-XSS protection and therefore most of the benefits of using the CSP.
 +
 +
>> This page show a sample of CSP implementation for Java technologies and this is the reason why I have put the article here. For sure the article can be refactored to separate pure CSP content from java implementation. The implementation take in account the way in which many web application are developed (at least each I have seen until today) and in lot of them there inline script. Anti-XSS protection are also implemented on server side, CSP is only an additional protection layer and do not only apply to XSS (ex: plugin type or frame sandbox)...
 +
 +
> This article is based on version 1.1 of the W3C specification.
 +
I believe 1.1 is not yet fully complete, and the implementations are based mostly on 1.0 (need to double-check).  I think 1.0 would be the better fit for this page - need to look into how significant the changes are.
 +
 +
>> The implementation take also in account features coming from version 1.1 (script-nonce,reflected-xss block,frame sandbox,plugin type,...), I have wrote this article in order to provide a starting point to implements CSP into a java web app and for sure the sample must be adapted to the target application. About the "lengthy Java implementation", most of the cost in application life goes to maintenance and it's the reason why I prefer to provide a detailed code that is easily understandable because people that will do the maintenance are often differents from the people that have developed the application...
 +
>>..But in all case it's a wiki then feel free to update/refactor the article in order to enhance it ;o)

Latest revision as of 06:06, 30 April 2013

I don't think this belongs correctly to the OWASP Java Project since CSP deals with browser security and server-client protocol (HTTP headers), independently of the specific server implementation. You can send the CSP headers from any possible HTTP server - Java, ASP, PHP/Apache, NodeJS etc. Personally, I find that the lengthy Java implementation example may distract from the main issues and the choices / tradeoffs that people thinking about implementing the CSP in their sites would have to make. Also, regarding the following:

> Inline script will be allowed because inline scripting it's commonly used (can be disabled if target site do not use this type of scripting)

I think this does not make it clear that unsafe-inline removes a lot of anti-XSS protection and therefore most of the benefits of using the CSP.

>> This page show a sample of CSP implementation for Java technologies and this is the reason why I have put the article here. For sure the article can be refactored to separate pure CSP content from java implementation. The implementation take in account the way in which many web application are developed (at least each I have seen until today) and in lot of them there inline script. Anti-XSS protection are also implemented on server side, CSP is only an additional protection layer and do not only apply to XSS (ex: plugin type or frame sandbox)...

> This article is based on version 1.1 of the W3C specification. I believe 1.1 is not yet fully complete, and the implementations are based mostly on 1.0 (need to double-check). I think 1.0 would be the better fit for this page - need to look into how significant the changes are.

>> The implementation take also in account features coming from version 1.1 (script-nonce,reflected-xss block,frame sandbox,plugin type,...), I have wrote this article in order to provide a starting point to implements CSP into a java web app and for sure the sample must be adapted to the target application. About the "lengthy Java implementation", most of the cost in application life goes to maintenance and it's the reason why I prefer to provide a detailed code that is easily understandable because people that will do the maintenance are often differents from the people that have developed the application... >>..But in all case it's a wiki then feel free to update/refactor the article in order to enhance it ;o)