SlideShare a Scribd company logo

Content Security Policy - PHPUGFFM

Walter Ebert
Walter Ebert

PHP Usergroup Frankfurt http://www.phpugffm.de/das-letzte-treffen-im-jahr-2013-steht-an/

Technology
1 of 23
Download to read offline
Content Security Policy Walter Ebert http://www.flickr.com/photos/murdelta/5963788863/ PHP Usergroup Frankfurt am Main 21. November 2013
Walter Ebert @wltrd walterebert.de
XSS Cross-Site-Scripting ist eine Art der HTML Injection. Cross-Site-Scripting tritt dann auf, wenn eine Webanwendung Daten annimmt, die von einem Nutzer stammen, und diese Daten dann an einen Browser weitersendet, ohne den Inhalt zu überprüfen. Damit ist es einem Angreifer möglich, auch Skripte indirekt an den Browser des Opfers zu senden und damit Schadcode auf der Seite des Clients auszuführen. https://de.wikipedia.org/wiki/Cross-Site-Scripting
Schützt den Benutzer Nicht die Anwendung
http://www.phptherightway.com/#security
W3C Content Security Policy CSP 1.0 http://www.w3.org/TR/CSP/ CSP 1.1 (In Arbeit) https://dvcs.w3.org/hg/content-security-policy/r aw-file/tip/csp-specification.dev.html
http://caniuse.com/#search=csp
Konfiguration Apache <IfModule mod_headers.c> Header set Content-Security-Policy "default-src 'self';" </IfModule> PHP header("Content-Security-Policy: default-src 'self';");
$ curl -I http://dev.walterebert.com HTTP/1.1 200 OK Date: Sat, 02 Nov 2013 12:49:57 GMT Server: Apache/2.2.22 X-Powered-By: PHP/5.3.17 Cache-Control: max-age=0 Expires: Sat, 02 Nov 2013 12:49:57 GMT Content-Security-Policy: default-src 'self'; Vary: Accept-Encoding Content-Type: text/html; charset=utf-8
Reporting Apache <IfModule mod_headers.c> Header set Content-Security-Policy-Report-Only "default-src 'self'; report-uri /csp-reporter.php;" </IfModule> PHP header("Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-reporter.php;");
csp-reporter.php <?php header('HTTP/1.1 204 No Content'); $data = file_get_contents('php://input'); if (is_string($data) and json_decode($data)) { syslog(LOG_INFO, $data); }
HTTP POST { "csp-report": { "document-uri":"http://dev.walterebert.com/", "referrer":"", "violated-directive":"default-src 'self' ", "original-policy":"default-src 'self'; report-uri /csp-reporter.php;", "blocked-uri":"http://cdn.slidesharecdn.com", "status-code":200 } }
Chrome {"csp-report":{"documenturi":"http://dev.walterebert.com/","referrer":"","violated-directive":"default-src 'self' ","original-policy":"default-src 'self' ; report-uri /cspreporter.php;","blocked-uri":"http://cdn.slidesharecdn.com","status-code":200}} {"csp-report":{"documenturi":"http://dev.walterebert.com/","referrer":"","violated-directive":"default-src 'self' ","original-policy":"default-src 'self' ; report-uri /cspreporter.php;","blocked-uri":"data","status-code":200}} {"csp-report":{"documenturi":"http://dev.walterebert.com/","referrer":"","violated-directive":"default-src 'self' ","original-policy":"default-src 'self' ; report-uri /cspreporter.php;","blocked-uri":"","status-code":200}}
Firefox {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blocked-uri":"https://cdn.slidesharecdn.com/ss_thumbnails/responsive-design-drupal-meetup-frankfurt-130912115128-phpapp01-thumbnail-2.jpg?1379004938","violated-directive":"default-src http://dev.walterebert.com:80"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blocked-uri":"https://cdn.slidesharecdn.com/ss_thumbnails/web-performance-optimierung-developer-week-2013-130625082350-phpapp02-thumbnail-2.jpg?1372582510","violated-directive":"default-src http://dev.walterebert.com:80"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blocked-uri":"https://cdn.slidesharecdn.com/ss_thumbnails/webperfdays-amsterdam-2013-responsive-video-130519125920-phpapp02-thumbnail-2.jpg?1378556655","violated-directive":"default-src http://dev.walterebert.com:80"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blocked-uri":"self","violated-directive":"inline script base restriction","source-file":"http://dev.walterebert.com/","script-sample":"n// Responsive menunif (typeof window.ma...","line-number":14}} {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blocked-uri":"https://cdn.slidesharecdn.com/ss_thumbnails/web-performance-drupal-meetup-frankfurt-2013-130314172209-phpapp01-thumbnail-2.jpg?1363299801","violated-directive":"default-src http://dev.walterebert.com:80"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blocked-uri":"http://cdn.slidesharecdn.com/ss_thumbnails/responsive-design-drupal-meetup-frankfurt-130912115128-phpapp01-thumbnail-2.jpg?1379004938","violated-directive":"default-src http://dev.walterebert.com:80"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blocked-uri":"http://cdn.slidesharecdn.com/ss_thumbnails/web-performance-optimierung-developer-week-2013-130625082350-phpapp02-thumbnail-2.jpg?1372582510","violated-directive":"default-src http://dev.walterebert.com:80"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blocked-uri":"http://cdn.slidesharecdn.com/ss_thumbnails/webperfdays-amsterdam-2013-responsive-video-130519125920-phpapp02-thumbnail-2.jpg?1378556655","violated-directive":"default-src http://dev.walterebert.com:80"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blocked-uri":"http://cdn.slidesharecdn.com/ss_thumbnails/web-performance-drupal-meetup-frankfurt-2013-130314172209-phpapp01-thumbnail-2.jpg?1363299801","violated-directive":"default-src http://dev.walterebert.com:80"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blockeduri":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEkAAAAWCAMAAAC7dUHMAAAAMFBMVEUFCAMREg8aGxkhIyA6PDlkZmN1bJ+SjbCSlJGcmrCwsbC5tcvIycze3+Hw7/H9//xelZ5BAAABu0lEQVR4AZ3U7crcQAgF4MmomY/xeO7/butMdlta+ufNYVkl4IMBSeF/E3Pyh/lIEQCCfzJ7vJHCV2ttuH+12OWNhJUGHm6B5FpvJXcPtPu+txVku/2NFGsMDz5Oy54r+xdSrNZWA F8o1b1d/FxKYmEivtDESggvdhoJjRWxPpCfHWMxupn1gGWc3XyaISvZVU+XcXrvIGYUtuZjOJy+Mh4+HXutgF4qxbyI1gtWZy9lUivnpXpJWBb1WUQU3lG41mgNGPEcqCfY7kxKiimCYrTiJrOLGDUJcZruJyS7zV5meBRiv1b4cAJbSvhITCmHNaWpGltSE6hAFAyEVes9IrhlsjDaIw3Q5/LknhBWRUr3UmvtPFKXviUDM3ZlQM5q/Ej3vaVD5X97kpKK9Ukv1lWPJK6akn52ko4DafwlPdftG7 l3yDPBLdFKHAldRHZLveYuBwIf6Vx0oG0KxAda/0g4kkOq5LBIVdpVa3Gpic9HQg4izjLnkA4VZPQeJGGT3Tx/8zkicqpaZJuB7fgj0e97cGwqG3Bbb78F5w7vdHaak8GXEnGv5J4c67XEWBHrNxTvpSdYo613TOYXgZ5KQK6spScAAAAASUVORK5CYII=","violated-directive":"default-src http://dev.walterebert.com:80"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blockeduri":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEkAAAAyCAMAAAAnSAbsAAAAMFBMVEUJb5U3g6NVlrHnkiJ2qb/rp025vLqlxtTvunTJy8nzyJLY4uX44MPu8vL78OP9//xCc7hCAAACiElEQVR4Ae3X4ZKrKBAFYEC0g4dDv//bbjcYNLPJbqqcn3PuVRpKvrQxlZkJ+lv5k2Yowt+RcopRyN+QhBJTFvCuhASlSIrCm5JKppIqKeOmpAkqosqccFNyRnRQ9yQkjoI585akC dOUe5LMViThlqRxNpXzPensRBLvSbNCljsS86XMvCEhKzFvT+5ISXN619SQCBxLpJJHDX0TRo3x0hReJBYABAFYtfkJaoW+S5Ig+clKzsIXSYmylVJgx+blxu2DhByZRU9LcJU8JkF9ZNm2z5KKKISnLIIpKQpoB6h2wE5uAvoxACeUo/DGz5b5VHLKWfjm2SlndaaNvK7Vpq/fU2FMkwwAszy3PEb21vZLue7PDcIpIYYQRT05hJBfpLos67F9P8plebTH8phvlHBKBo39iFalq9R22zaij2WtXh h+Sm7hlGIOEb2llEySLEfr2SU9shra9WWpF0nJiyQpiBV2Nox2qEdC5L6se7W0U9KzpzNTkpCgEiN+Su2xLqunficBMYoJmT8lbdXjyneSKxKD6L+kEbvJLpnbfkh1r1dJJfqbjf+Qel9O1CG159Pd93aVkEIIwi5JCClbkkl17Vlsp3+evFqtv+q1Z69XKSaoSgxjyKSk2BOib/esdnXbjemp/tEf0qPa3T0lAuxnjInjPdmfXe1pfnEbE+/JJyNefPwugIxYl/ombX/UL39/MmIkQd/Fuvg/ibz 2BFC/zfz2hXIrVmyFqnZQNz3jV/RlC8bBoh7gVfL9sLCwWLZxmqGir2z2fww+O/71SZeGXIYE9h39bP6xBWprG3yJNud4FRT4CJTCsye72m/Mi759vLqPPpAFxyu4pEMy49kT//4C+j7/AAp/ttcmKUUDAAAAAElFTkSuQmCC","violated-directive":"default-src http://dev.walterebert.com:80"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blockeduri":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEkAAABECAMAAAD6M+gwAAAAwFBMVEXt7PDc29+Wj7LDv9ODfKWMhqyWkLOgm7p6dJ9wa5lnY5S3tsNZV4tMS4RLS4RLS4NMTIStrbnPz9Tx8fLp6eq8vcTCw8ioqrKytLuKjpmIjJeMkJucn6ianaafoqujpq5/hJCBhpKUmKKSlqCRlZ+Pk512fImFipWXm6SUmKF5f4t8go5udYJxeIVzeoZkbXpmb3xocX5rc39vd4Ntd YFgandrdIBbZnNTYG5JWWhOXWtQX21JWmhJWWdKWmj/// +KYSnGAAAGvklEQVR4AazSzW6jMBTF8bDOChPA+QgBB3CKGSZJq6wqnfd/q7k+IGxFnV1/uN1U+uvat5vv37L5xu/wpVtwXpyC6lRFLnLelMSSMebD0Bpcmqe3aEyKVZRlqRXX9nr9EAyGKK1Z8d9RWeoW7ey6MGv3p+tLU5dRk6X9cbEmOx+MqmxS1NRImZSmdOfSgrUQfR+1fYsWSKNRWbLWHg5yDvvgp2a7YrNAGb0qS41dHfNVt+/yBJm6+FxO+tyR0XmRyx9LRjmpmUuRHIutvWWAHCgZEYv CZ3WG2SUalqU6aBouO0HSdBlUa22ZIbcWiawnLZgtAZXKf5DCJXoAllxQU4nM1gWKxjMZugaJ9WTMyu6QHrwcVfSoLA0RJ2Sam3MZqnkrCmkD1ZDG9sSq2EpVgpbZPUs9DYP8eE0CLUkEuoaq6YxtiW1DW5xswNLk9asCapAmdlqQcVCObtCVhEVTa5ybgKU/3uQ/r8TG9WIHO496vNaDxMlAd9jxRZ3GrXb1bCmN4/hJvmgBy2YKxUkrZK6H8tF+uEIPCoU03aBhXMDS8/lF4/g1yihJ6vV9gsQM hxSopkmqvddC9/tsvriCCWsaWHo8gwKLfJSUtznJpFC8/9QhnaaDwqztiati6X6/P+4PGsrV8HzdcqUqJ7OOeztfvz/W0p0OJvWaaFUs/fXuswd/URj19ZL7v/gA4lM+X5UjOKpYS6v70mSQUXrKWbsSZfUf2eTT3CoOBPHlvKel2CG+2FgHV7FPMfvHLmlId/T9v9WOBgGv6k0lMKqIX3dLk1rbTf336aT3USnndQVZf9avnNKJdWajnnU6dVIyhEFWQglWjqK+lcR3TofX8wR+zf/vRjIK/Dsih TAxzmGecLc2M8zzdXrfnsvN6vm8LX/fxtvt8RjH6+Nnq076QtWHg4b+OjIMIldKJ8MI6QaZWB7v0vf9X3c71NL1/Y976bvfnuZyN+okkNgiYe7qYhaQlIAgVFtAS0R5pPSe7FDL9H4v9/L+p7stR70bCcR2QKMARjJPd4iE/ncwCOikXoSfJScz98f7hyE/ +v2evr7hpMqwIpTXjdSFEC1dXxLcFyppDDNioVpzXz/Lmv+UdV2/3YRuJHjvni5DBtnSzXmYgFlIlpfBiEqynmQsyMNMl/c8TqKjUCsPnXygnXjg2JHBSLCvjUQn1ZjLq8jQZTpKAbB5UrCy1FDTvGiKr7hgScwxIy0gXxnWAjkazSpn25IrhfTp0zMdsB+7c7HJwYsutHfeqG774YvdE7VNdftjG3DdXqcC4OtTgrWa7D5PTYn5FWNCXsAIYLEEvlgSUlJ4aFq4mjvGXYeKRnLOph0HkQmxRBZFG EaJjAJIjzBrHakrUGwLY5Fu3D3p7kmVaK5jH2M2UpcLYUwSUVRlmEMgy8UMs8RX3aIXaWfrUZ10zICyelrwsiEoQB+lzHwJKJfysXm6g8W28FVKqULtqrSR9njwKLRnGgpVZkowLCAxlFDduDp9sNBN7TqB4+683GeVmo3ESwEeQz9cYAtKZF/TlSIKe4aaburaBIBK7unaIJ3m2gXUfl+2SXHFfRzoAQ/S9unG2vf6u71clo7yLbBGNwaOSW6eToZW/uED1NMnmoD/NtCG4UE6ZxVNWnH2B2PPcq ZCC/nLFDRz3pz/ibqZRavmhfy/ +bJLUhyGgfCMAxkM+VoNF9L9b7VjKbM/7zysUsFyIn0ltSgXVDnl1Oze+w/IBgsC5MCoXBkbtK76sEWtWHYAePlSWEWSjDCLZUf5RpZ1urQVn+KFARncEfFmklFdIZpoeWUhCfdb6BAwqjh6rQzZXVOcOlmtkCsm3AIpWjA6sTN7J3WuRJHqRXQTQiE49jGuh45x+XYvzDH2i3GIfXz7igK5qBK4SSWG3RRV9bN+zR0zN617X9snJu65DCr6LKsqKBLLNSFCasku+bx95LzlF+ve8rpnSvbMx5yzy hOyg2pCTbIoW6uLpZH78ZH3kdvYcrDlcctPJF9zG7eSsED08ODUKWr+rWiP+rl6ePkrl11Uyy4FY3nX0sHhv8bbJGgOCve7LV/b81hdzVdO8mPbVjo65nzkzmndzD+K94CLWPaZWtxXHtqyhO9vA5f78ciB1SoYWTY+FSekKL67dWVqeZnhTGY+HeDg6JlScqMAu/ppUtURDgI5lqtxAeRxxWPnPiZVhI/x2MYBUsv9u5Um1dalVZRQ4J6BK7CgyyBqWxSLhhCyfkjEusPh5ViWO7xzl19Qucj9eL knTbhJJV1ZV/QTofOBKqvq6F1xLfhzKvy3J93bzvF32S+y3QFX1EqmJQAAAABJRU5ErkJggg==","violated-directive":"default-src http://dev.walterebert.com:80"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blocked-uri":"self","violated-directive":"inline script base restriction","source-file":"http://dev.walterebert.com/","script-sample":"ntif (typeof window.matchMedia === "unde...","line-number":266}} {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blocked-uri":"self","violated-directive":"inline script base restriction","source-file":"http://dev.walterebert.com/","script-sample":"n/* Modernizr 2.6.2 (Custom Build) | MIT...","line-number":274}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blocked-uri":"self","violated-directive":"inline script base restriction","source-file":"http://dev.walterebert.com/","script-sample":"try { for(var lastpass_iter=0; lastpass..."}}
Direktiven default-src : Alle Ressourcen img-src : Bilder style-src : Stylesheets media-src : Audio + Video frame-src : iframes connect-src : AJAX, WebSockets, EventSource font-src : Schriften object-src : Flash, Java, usw.
Keywords * : Alles erlauben 'none' : Nichts erlauben 'self ' : Nur Ursprungsdomain (nicht Subdomains) 'unsafe-inline' : Inline JavaScript + CSS 'unsafe-eval ' : JavaScript eval()
Beispiele # Lokal + Inline CSS/JS + Data URI default-src 'self'; style-src 'unsafe-inline'; script-src 'unsafe-inline'; img-src data:; # Lokal + CDN default-src 'self' *.amazonaws.com; # Lokal + Bilder von Überall default-src 'self'; img-src: *; # Nur SSL default-src https:; # Explizite Freigaben default-src 'none'; style-src 'self'; script-src 'self'; img-src 'self';
Browserunterschiede Firefox default-src 'self'; script-src 'unsafe-inline'; Chrome default-src 'self'; script-src 'self' 'unsafe-inline';
$ curl -I http://walterebert.com HTTP/1.1 200 OK Date: Mon, 18 Nov 2013 19:38:14 GMT Server: Apache Cache-Control: max-age=0, no-cache Content-Security-Policy: default-src 'self'; img-src data: http: https: *.slidesharecdn.com *.slideshare.net; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; report-uri /cspreporter.php; Vary: Accept-Encoding Content-Type: text/html; charset=utf-8
Beispiele blockierter URIs mx://res/reader-mode/reader.html chromenull:// chromeinvoke://1fb8adb44a3b9f7b1671bf5082dbf486 chromeinvokeimmediate://95dc806b80bec27e456ff17770b82cf8 chrome-extension://noojglkidnpfjbincgijbaiedldjfbhh android-webview safari-extension://com.wotservicesoy.wot-ff6ww26hl3 safari-extension://com.avast.wrc-6h4hrtu5e3 moz-icon://noscript?size=32&contentType=video/ogg http://cdncache-a.akamaihd.net https://d3ijcis4e2ziok.cloudfront.net https://translate.googleapis.com
Walter Ebert @wltrd walterebert.de walterebert.com slideshare.net/walterebert DrupalCamp Frankfurt, 12.-13. April 2014 drupal-am-main.de
Referenzen http://content-security-policy.com/ https://www.owasp.org/index.php/Content_Security_Policy http://www.html5rocks.com/en/tutorials/security/content-secur ity-policy/ https://developer.mozilla.org/en-US/docs/Security/CSP http://caniuse.com/#search=csp http://mathiasbynens.be/notes/csp-reports http://www.w3.org/TR/CSP/ https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp -specification.dev.html

Recommended

Xss
XssXss
XssRajendra Dangwal
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection VulnerabilitiesMindfire Solutions
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingn|u - The Open Security Community
 
XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerabilitySoumyasanto Sen
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Ritesh Gupta
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingashutosh rai
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site ScriptingAli Mattash
 
What is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsWhat is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsZiv Ginsberg
 

Recommended

Xss
XssXss
XssRajendra Dangwal
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection VulnerabilitiesMindfire Solutions
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingn|u - The Open Security Community
 
XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerabilitySoumyasanto Sen
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Ritesh Gupta
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingashutosh rai
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site ScriptingAli Mattash
 
What is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsWhat is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsZiv Ginsberg
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharCross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharSandeep Kumbhar
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Barrel Software
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Manish Kumar
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
Xss what the heck-!
Xss what the heck-!Xss what the heck-!
Xss what the heck-!VodqaBLR
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolArjun Jain
 
Cross site scripting
Cross site scripting Cross site scripting
Cross site scripting Bilal Mazhar MS(IS)Cyber Security II Privacy Professional
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Nabin Dutta
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting GuideDaisuke_Dan
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsPorfirio Tramontana
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)vinayh.vaghamshi _
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Daniel Tumser
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingkinish kumar
 
Understanding dom based xss
Understanding dom based xssUnderstanding dom based xss
Understanding dom based xssPotato
 
Secure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web ApplicationsSecure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web Applicationsn|u - The Open Security Community
 
Identifying XSS Vulnerabilities
Identifying XSS VulnerabilitiesIdentifying XSS Vulnerabilities
Identifying XSS Vulnerabilitiesn|u - The Open Security Community
 
4774.projectb.securitysquad
4774.projectb.securitysquad4774.projectb.securitysquad
4774.projectb.securitysquadJosh Howell
 
Campixx 2012-ladezeit-extreme
Campixx 2012-ladezeit-extremeCampixx 2012-ladezeit-extreme
Campixx 2012-ladezeit-extremeAlexander Merkel
 
PHP Kongress 2010 - Web-Performance
PHP Kongress 2010 - Web-PerformancePHP Kongress 2010 - Web-Performance
PHP Kongress 2010 - Web-PerformanceNico Steiner
 

More Related Content

What's hot

Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharCross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharSandeep Kumbhar
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Barrel Software
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Manish Kumar
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
Xss what the heck-!
Xss what the heck-!Xss what the heck-!
Xss what the heck-!VodqaBLR
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolArjun Jain
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Nabin Dutta
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting GuideDaisuke_Dan
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsPorfirio Tramontana
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Daniel Tumser
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingkinish kumar
 
Understanding dom based xss
Understanding dom based xssUnderstanding dom based xss
Understanding dom based xssPotato
 
4774.projectb.securitysquad
4774.projectb.securitysquad4774.projectb.securitysquad
4774.projectb.securitysquadJosh Howell
 

What's hot (20)

Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharCross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
Xss what the heck-!
Xss what the heck-!Xss what the heck-!
Xss what the heck-!
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing tool
 
Cross site scripting
Cross site scripting Cross site scripting
Cross site scripting
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web Applications
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Understanding dom based xss
Understanding dom based xssUnderstanding dom based xss
Understanding dom based xss
 
Secure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web ApplicationsSecure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web Applications
 
Identifying XSS Vulnerabilities
Identifying XSS VulnerabilitiesIdentifying XSS Vulnerabilities
Identifying XSS Vulnerabilities
 
4774.projectb.securitysquad
4774.projectb.securitysquad4774.projectb.securitysquad
4774.projectb.securitysquad
 

Viewers also liked

Campixx 2012-ladezeit-extreme
Campixx 2012-ladezeit-extremeCampixx 2012-ladezeit-extreme
Campixx 2012-ladezeit-extremeAlexander Merkel
 
PHP Kongress 2010 - Web-Performance
PHP Kongress 2010 - Web-PerformancePHP Kongress 2010 - Web-Performance
PHP Kongress 2010 - Web-PerformanceNico Steiner
 
Social media and crisis communication
Social media and crisis communicationSocial media and crisis communication
Social media and crisis communicationUlrich Gartner
 
Seo Campixx 2015 - Technical SEO for Beginners
Seo Campixx 2015 - Technical SEO for BeginnersSeo Campixx 2015 - Technical SEO for Beginners
Seo Campixx 2015 - Technical SEO for BeginnersJan Berens
 
Webhacks am Beispiel PHP + MySQL
Webhacks am Beispiel PHP + MySQLWebhacks am Beispiel PHP + MySQL
Webhacks am Beispiel PHP + MySQLTorben Brodt
 
Leitfaden Facebook Marketing: Fanseiten 2011
Leitfaden Facebook Marketing: Fanseiten 2011Leitfaden Facebook Marketing: Fanseiten 2011
Leitfaden Facebook Marketing: Fanseiten 2011Futurebiz
 
Das (noch) nicht genutzte Potential von E-Books
Das (noch) nicht genutzte Potential von E-BooksDas (noch) nicht genutzte Potential von E-Books
Das (noch) nicht genutzte Potential von E-BooksRudolf Mumenthaler
 
Above the fold content
Above the fold contentAbove the fold content
Above the fold contentWalter Ebert
 
Einführung in WAI-ARIA
Einführung in WAI-ARIAEinführung in WAI-ARIA
Einführung in WAI-ARIAStefan Walter
 
Campixx 2014 | Case Study - SEO für eine Ferienwohnung
Campixx 2014 | Case Study - SEO für eine Ferienwohnung Campixx 2014 | Case Study - SEO für eine Ferienwohnung
Campixx 2014 | Case Study - SEO für eine Ferienwohnung Heiko Hoehn
 
Web Performance Optimierung - DWX13
Web Performance Optimierung - DWX13Web Performance Optimierung - DWX13
Web Performance Optimierung - DWX13Walter Ebert
 
Bilder einbinden ist kein Thema, oder?
Bilder einbinden ist kein Thema, oder?Bilder einbinden ist kein Thema, oder?
Bilder einbinden ist kein Thema, oder?Walter Ebert
 
(Responsive) Video
(Responsive) Video(Responsive) Video
(Responsive) VideoWalter Ebert
 
Sinn und Unsinn von SSL
Sinn und Unsinn von SSLSinn und Unsinn von SSL
Sinn und Unsinn von SSLWalter Ebert
 
Responsive Design: Mehr als CSS
Responsive Design: Mehr als CSSResponsive Design: Mehr als CSS
Responsive Design: Mehr als CSSWalter Ebert
 
Die .htaccess richtig nutzen
Die .htaccess richtig nutzenDie .htaccess richtig nutzen
Die .htaccess richtig nutzenWalter Ebert
 
Javascript auf Client und Server mit node.js - webtech 2010
Javascript auf Client und Server mit node.js - webtech 2010Javascript auf Client und Server mit node.js - webtech 2010
Javascript auf Client und Server mit node.js - webtech 2010Dirk Ginader
 
Responsive Videos, mehr oder weniger
Responsive Videos, mehr oder wenigerResponsive Videos, mehr oder weniger
Responsive Videos, mehr oder wenigerWalter Ebert
 

Viewers also liked (20)

Campixx 2012-ladezeit-extreme
Campixx 2012-ladezeit-extremeCampixx 2012-ladezeit-extreme
Campixx 2012-ladezeit-extreme
 
PHP Kongress 2010 - Web-Performance
PHP Kongress 2010 - Web-PerformancePHP Kongress 2010 - Web-Performance
PHP Kongress 2010 - Web-Performance
 
Social media and crisis communication
Social media and crisis communicationSocial media and crisis communication
Social media and crisis communication
 
Seo Campixx 2015 - Technical SEO for Beginners
Seo Campixx 2015 - Technical SEO for BeginnersSeo Campixx 2015 - Technical SEO for Beginners
Seo Campixx 2015 - Technical SEO for Beginners
 
Webhacks am Beispiel PHP + MySQL
Webhacks am Beispiel PHP + MySQLWebhacks am Beispiel PHP + MySQL
Webhacks am Beispiel PHP + MySQL
 
Leitfaden Facebook Marketing: Fanseiten 2011
Leitfaden Facebook Marketing: Fanseiten 2011Leitfaden Facebook Marketing: Fanseiten 2011
Leitfaden Facebook Marketing: Fanseiten 2011
 
Das (noch) nicht genutzte Potential von E-Books
Das (noch) nicht genutzte Potential von E-BooksDas (noch) nicht genutzte Potential von E-Books
Das (noch) nicht genutzte Potential von E-Books
 
Above the fold content
Above the fold contentAbove the fold content
Above the fold content
 
Vorschau auf Drupal 8
Vorschau auf Drupal 8Vorschau auf Drupal 8
Vorschau auf Drupal 8
 
Einführung in WAI-ARIA
Einführung in WAI-ARIAEinführung in WAI-ARIA
Einführung in WAI-ARIA
 
Campixx 2014 | Case Study - SEO für eine Ferienwohnung
Campixx 2014 | Case Study - SEO für eine Ferienwohnung Campixx 2014 | Case Study - SEO für eine Ferienwohnung
Campixx 2014 | Case Study - SEO für eine Ferienwohnung
 
Web Performance Optimierung - DWX13
Web Performance Optimierung - DWX13Web Performance Optimierung - DWX13
Web Performance Optimierung - DWX13
 
Bilder einbinden ist kein Thema, oder?
Bilder einbinden ist kein Thema, oder?Bilder einbinden ist kein Thema, oder?
Bilder einbinden ist kein Thema, oder?
 
Web-Performance
Web-PerformanceWeb-Performance
Web-Performance
 
(Responsive) Video
(Responsive) Video(Responsive) Video
(Responsive) Video
 
Sinn und Unsinn von SSL
Sinn und Unsinn von SSLSinn und Unsinn von SSL
Sinn und Unsinn von SSL
 
Responsive Design: Mehr als CSS
Responsive Design: Mehr als CSSResponsive Design: Mehr als CSS
Responsive Design: Mehr als CSS
 
Die .htaccess richtig nutzen
Die .htaccess richtig nutzenDie .htaccess richtig nutzen
Die .htaccess richtig nutzen
 
Javascript auf Client und Server mit node.js - webtech 2010
Javascript auf Client und Server mit node.js - webtech 2010Javascript auf Client und Server mit node.js - webtech 2010
Javascript auf Client und Server mit node.js - webtech 2010
 
Responsive Videos, mehr oder weniger
Responsive Videos, mehr oder wenigerResponsive Videos, mehr oder weniger
Responsive Videos, mehr oder weniger
 

Similar to Content Security Policy - PHPUGFFM

Web security landscape Unit 3 part 2
Web security landscape Unit 3 part 2Web security landscape Unit 3 part 2
Web security landscape Unit 3 part 2SURBHI SAROHA
 
Web-Security-Application.pptx
Web-Security-Application.pptxWeb-Security-Application.pptx
Web-Security-Application.pptxhamidTalib2
 
logout.php Session Data after Logout Username Email . $_.docx
logout.php Session Data after Logout Username Email . $_.docxlogout.php Session Data after Logout Username Email . $_.docx
logout.php Session Data after Logout Username Email . $_.docxsmile790243
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Prevention of Cross-Site Scripting using Hash Technique
Prevention of Cross-Site Scripting using Hash TechniquePrevention of Cross-Site Scripting using Hash Technique
Prevention of Cross-Site Scripting using Hash TechniqueIJCSIS Research Publications
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Browser Security ppt.pptx
Browser Security ppt.pptxBrowser Security ppt.pptx
Browser Security ppt.pptxAjaySahre
 
Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebWeb Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebZero Science Lab
 
Report on xss and do s
Report on xss and do sReport on xss and do s
Report on xss and do smehr77
 
STORED XSS IN DVWA
STORED XSS IN DVWASTORED XSS IN DVWA
STORED XSS IN DVWARutvik patel
 
XSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareXSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareOmer Meshar
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
Study of Cross-Site Scripting Attacks and Their Countermeasures
Study of Cross-Site Scripting Attacks and Their CountermeasuresStudy of Cross-Site Scripting Attacks and Their Countermeasures
Study of Cross-Site Scripting Attacks and Their CountermeasuresEditor IJCATR
 
Top Tools Used in XSS Attacks.pdf
Top Tools Used in XSS Attacks.pdfTop Tools Used in XSS Attacks.pdf
Top Tools Used in XSS Attacks.pdfuzair
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security TopicsShawn Gorrell
 

Similar to Content Security Policy - PHPUGFFM (20)

Session7-XSS & CSRF
Session7-XSS & CSRFSession7-XSS & CSRF
Session7-XSS & CSRF
 
Web security landscape Unit 3 part 2
Web security landscape Unit 3 part 2Web security landscape Unit 3 part 2
Web security landscape Unit 3 part 2
 
Web-Security-Application.pptx
Web-Security-Application.pptxWeb-Security-Application.pptx
Web-Security-Application.pptx
 
logout.php Session Data after Logout Username Email . $_.docx
logout.php Session Data after Logout Username Email . $_.docxlogout.php Session Data after Logout Username Email . $_.docx
logout.php Session Data after Logout Username Email . $_.docx
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Prevention of Cross-Site Scripting using Hash Technique
Prevention of Cross-Site Scripting using Hash TechniquePrevention of Cross-Site Scripting using Hash Technique
Prevention of Cross-Site Scripting using Hash Technique
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Browser Security ppt.pptx
Browser Security ppt.pptxBrowser Security ppt.pptx
Browser Security ppt.pptx
 
Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebWeb Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The Web
 
Report on xss and do s
Report on xss and do sReport on xss and do s
Report on xss and do s
 
STORED XSS IN DVWA
STORED XSS IN DVWASTORED XSS IN DVWA
STORED XSS IN DVWA
 
XSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareXSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malware
 
Xssandcsrf
XssandcsrfXssandcsrf
Xssandcsrf
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
Study of Cross-Site Scripting Attacks and Their Countermeasures
Study of Cross-Site Scripting Attacks and Their CountermeasuresStudy of Cross-Site Scripting Attacks and Their Countermeasures
Study of Cross-Site Scripting Attacks and Their Countermeasures
 
4.Xss
4.Xss4.Xss
4.Xss
 
Top Tools Used in XSS Attacks.pdf
Top Tools Used in XSS Attacks.pdfTop Tools Used in XSS Attacks.pdf
Top Tools Used in XSS Attacks.pdf
 
XSS.pdf
XSS.pdfXSS.pdf
XSS.pdf
 
XSS.pdf
XSS.pdfXSS.pdf
XSS.pdf
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security Topics
 

More from Walter Ebert

FrOSCon 2023: WordPress als ActivityPub-Instanz
FrOSCon 2023: WordPress als ActivityPub-InstanzFrOSCon 2023: WordPress als ActivityPub-Instanz
FrOSCon 2023: WordPress als ActivityPub-InstanzWalter Ebert
 
Hero Video Performance - DrupalCamp Ruhr
Hero Video Performance - DrupalCamp RuhrHero Video Performance - DrupalCamp Ruhr
Hero Video Performance - DrupalCamp RuhrWalter Ebert
 
Sicherheit für WordPress
Sicherheit für WordPressSicherheit für WordPress
Sicherheit für WordPressWalter Ebert
 
WordPress aufräumen - WordCamp Stuttgart
WordPress aufräumen - WordCamp StuttgartWordPress aufräumen - WordCamp Stuttgart
WordPress aufräumen - WordCamp StuttgartWalter Ebert
 
WordPress aufräumen
WordPress aufräumenWordPress aufräumen
WordPress aufräumenWalter Ebert
 
Hero Video Performance
Hero Video PerformanceHero Video Performance
Hero Video PerformanceWalter Ebert
 
WordPress-Webseiten umziehen / online stellen
WordPress-Webseiten umziehen / online stellenWordPress-Webseiten umziehen / online stellen
WordPress-Webseiten umziehen / online stellenWalter Ebert
 
Using browser settings for performance
Using browser settings for performanceUsing browser settings for performance
Using browser settings for performanceWalter Ebert
 
Das richtige WordPress-Theme finden
Das richtige WordPress-Theme findenDas richtige WordPress-Theme finden
Das richtige WordPress-Theme findenWalter Ebert
 
WordPress Health Check - WordCamp Würzburg
WordPress Health Check - WordCamp WürzburgWordPress Health Check - WordCamp Würzburg
WordPress Health Check - WordCamp WürzburgWalter Ebert
 
WordPress Health Check
WordPress Health CheckWordPress Health Check
WordPress Health CheckWalter Ebert
 
Making WordPress fast(er)
Making WordPress fast(er)Making WordPress fast(er)
Making WordPress fast(er)Walter Ebert
 
Testumgebungen für WordPress
Testumgebungen für WordPressTestumgebungen für WordPress
Testumgebungen für WordPressWalter Ebert
 
Modernism in Web Design
Modernism in Web DesignModernism in Web Design
Modernism in Web DesignWalter Ebert
 
WordPress Multisite
WordPress MultisiteWordPress Multisite
WordPress MultisiteWalter Ebert
 
Weniger aus Bilder holen
Weniger aus Bilder holenWeniger aus Bilder holen
Weniger aus Bilder holenWalter Ebert
 
WordPress mit Composer und Git verwalten
WordPress mit Composer und Git verwaltenWordPress mit Composer und Git verwalten
WordPress mit Composer und Git verwaltenWalter Ebert
 
High Performance Images
High Performance ImagesHigh Performance Images
High Performance ImagesWalter Ebert
 
HTTPS + Let's Encrypt
HTTPS + Let's EncryptHTTPS + Let's Encrypt
HTTPS + Let's EncryptWalter Ebert
 
WordPress-Templates mit Twig erstellen - PHPUGFFM
WordPress-Templates mit Twig erstellen - PHPUGFFMWordPress-Templates mit Twig erstellen - PHPUGFFM
WordPress-Templates mit Twig erstellen - PHPUGFFMWalter Ebert
 

More from Walter Ebert (20)

FrOSCon 2023: WordPress als ActivityPub-Instanz
FrOSCon 2023: WordPress als ActivityPub-InstanzFrOSCon 2023: WordPress als ActivityPub-Instanz
FrOSCon 2023: WordPress als ActivityPub-Instanz
 
Hero Video Performance - DrupalCamp Ruhr
Hero Video Performance - DrupalCamp RuhrHero Video Performance - DrupalCamp Ruhr
Hero Video Performance - DrupalCamp Ruhr
 
Sicherheit für WordPress
Sicherheit für WordPressSicherheit für WordPress
Sicherheit für WordPress
 
WordPress aufräumen - WordCamp Stuttgart
WordPress aufräumen - WordCamp StuttgartWordPress aufräumen - WordCamp Stuttgart
WordPress aufräumen - WordCamp Stuttgart
 
WordPress aufräumen
WordPress aufräumenWordPress aufräumen
WordPress aufräumen
 
Hero Video Performance
Hero Video PerformanceHero Video Performance
Hero Video Performance
 
WordPress-Webseiten umziehen / online stellen
WordPress-Webseiten umziehen / online stellenWordPress-Webseiten umziehen / online stellen
WordPress-Webseiten umziehen / online stellen
 
Using browser settings for performance
Using browser settings for performanceUsing browser settings for performance
Using browser settings for performance
 
Das richtige WordPress-Theme finden
Das richtige WordPress-Theme findenDas richtige WordPress-Theme finden
Das richtige WordPress-Theme finden
 
WordPress Health Check - WordCamp Würzburg
WordPress Health Check - WordCamp WürzburgWordPress Health Check - WordCamp Würzburg
WordPress Health Check - WordCamp Würzburg
 
WordPress Health Check
WordPress Health CheckWordPress Health Check
WordPress Health Check
 
Making WordPress fast(er)
Making WordPress fast(er)Making WordPress fast(er)
Making WordPress fast(er)
 
Testumgebungen für WordPress
Testumgebungen für WordPressTestumgebungen für WordPress
Testumgebungen für WordPress
 
Modernism in Web Design
Modernism in Web DesignModernism in Web Design
Modernism in Web Design
 
WordPress Multisite
WordPress MultisiteWordPress Multisite
WordPress Multisite
 
Weniger aus Bilder holen
Weniger aus Bilder holenWeniger aus Bilder holen
Weniger aus Bilder holen
 
WordPress mit Composer und Git verwalten
WordPress mit Composer und Git verwaltenWordPress mit Composer und Git verwalten
WordPress mit Composer und Git verwalten
 
High Performance Images
High Performance ImagesHigh Performance Images
High Performance Images
 
HTTPS + Let's Encrypt
HTTPS + Let's EncryptHTTPS + Let's Encrypt
HTTPS + Let's Encrypt
 
WordPress-Templates mit Twig erstellen - PHPUGFFM
WordPress-Templates mit Twig erstellen - PHPUGFFMWordPress-Templates mit Twig erstellen - PHPUGFFM
WordPress-Templates mit Twig erstellen - PHPUGFFM
 

Recently uploaded

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dashnarutouzumaki53779
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 

Recently uploaded (20)

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dash
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 

Content Security Policy - PHPUGFFM

  • 1. Content Security Policy Walter Ebert http://www.flickr.com/photos/murdelta/5963788863/ PHP Usergroup Frankfurt am Main 21. November 2013
  • 3. XSS Cross-Site-Scripting ist eine Art der HTML Injection. Cross-Site-Scripting tritt dann auf, wenn eine Webanwendung Daten annimmt, die von einem Nutzer stammen, und diese Daten dann an einen Browser weitersendet, ohne den Inhalt zu überprüfen. Damit ist es einem Angreifer möglich, auch Skripte indirekt an den Browser des Opfers zu senden und damit Schadcode auf der Seite des Clients auszuführen. https://de.wikipedia.org/wiki/Cross-Site-Scripting
  • 6. W3C Content Security Policy CSP 1.0 http://www.w3.org/TR/CSP/ CSP 1.1 (In Arbeit) https://dvcs.w3.org/hg/content-security-policy/r aw-file/tip/csp-specification.dev.html
  • 8. Konfiguration Apache <IfModule mod_headers.c> Header set Content-Security-Policy "default-src 'self';" </IfModule> PHP header("Content-Security-Policy: default-src 'self';");
  • 9. $ curl -I http://dev.walterebert.com HTTP/1.1 200 OK Date: Sat, 02 Nov 2013 12:49:57 GMT Server: Apache/2.2.22 X-Powered-By: PHP/5.3.17 Cache-Control: max-age=0 Expires: Sat, 02 Nov 2013 12:49:57 GMT Content-Security-Policy: default-src 'self'; Vary: Accept-Encoding Content-Type: text/html; charset=utf-8
  • 10.
  • 11. Reporting Apache <IfModule mod_headers.c> Header set Content-Security-Policy-Report-Only "default-src 'self'; report-uri /csp-reporter.php;" </IfModule> PHP header("Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-reporter.php;");
  • 12. csp-reporter.php <?php header('HTTP/1.1 204 No Content'); $data = file_get_contents('php://input'); if (is_string($data) and json_decode($data)) { syslog(LOG_INFO, $data); }
  • 13. HTTP POST { "csp-report": { "document-uri":"http://dev.walterebert.com/", "referrer":"", "violated-directive":"default-src 'self' ", "original-policy":"default-src 'self'; report-uri /csp-reporter.php;", "blocked-uri":"http://cdn.slidesharecdn.com", "status-code":200 } }
  • 14. Chrome {"csp-report":{"documenturi":"http://dev.walterebert.com/","referrer":"","violated-directive":"default-src 'self' ","original-policy":"default-src 'self' ; report-uri /cspreporter.php;","blocked-uri":"http://cdn.slidesharecdn.com","status-code":200}} {"csp-report":{"documenturi":"http://dev.walterebert.com/","referrer":"","violated-directive":"default-src 'self' ","original-policy":"default-src 'self' ; report-uri /cspreporter.php;","blocked-uri":"data","status-code":200}} {"csp-report":{"documenturi":"http://dev.walterebert.com/","referrer":"","violated-directive":"default-src 'self' ","original-policy":"default-src 'self' ; report-uri /cspreporter.php;","blocked-uri":"","status-code":200}}
  • 15. Firefox {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blocked-uri":"https://cdn.slidesharecdn.com/ss_thumbnails/responsive-design-drupal-meetup-frankfurt-130912115128-phpapp01-thumbnail-2.jpg?1379004938","violated-directive":"default-src http://dev.walterebert.com:80"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blocked-uri":"https://cdn.slidesharecdn.com/ss_thumbnails/web-performance-optimierung-developer-week-2013-130625082350-phpapp02-thumbnail-2.jpg?1372582510","violated-directive":"default-src http://dev.walterebert.com:80"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blocked-uri":"https://cdn.slidesharecdn.com/ss_thumbnails/webperfdays-amsterdam-2013-responsive-video-130519125920-phpapp02-thumbnail-2.jpg?1378556655","violated-directive":"default-src http://dev.walterebert.com:80"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blocked-uri":"self","violated-directive":"inline script base restriction","source-file":"http://dev.walterebert.com/","script-sample":"n// Responsive menunif (typeof window.ma...","line-number":14}} {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blocked-uri":"https://cdn.slidesharecdn.com/ss_thumbnails/web-performance-drupal-meetup-frankfurt-2013-130314172209-phpapp01-thumbnail-2.jpg?1363299801","violated-directive":"default-src http://dev.walterebert.com:80"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blocked-uri":"http://cdn.slidesharecdn.com/ss_thumbnails/responsive-design-drupal-meetup-frankfurt-130912115128-phpapp01-thumbnail-2.jpg?1379004938","violated-directive":"default-src http://dev.walterebert.com:80"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blocked-uri":"http://cdn.slidesharecdn.com/ss_thumbnails/web-performance-optimierung-developer-week-2013-130625082350-phpapp02-thumbnail-2.jpg?1372582510","violated-directive":"default-src http://dev.walterebert.com:80"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blocked-uri":"http://cdn.slidesharecdn.com/ss_thumbnails/webperfdays-amsterdam-2013-responsive-video-130519125920-phpapp02-thumbnail-2.jpg?1378556655","violated-directive":"default-src http://dev.walterebert.com:80"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blocked-uri":"http://cdn.slidesharecdn.com/ss_thumbnails/web-performance-drupal-meetup-frankfurt-2013-130314172209-phpapp01-thumbnail-2.jpg?1363299801","violated-directive":"default-src http://dev.walterebert.com:80"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blockeduri":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEkAAAAWCAMAAAC7dUHMAAAAMFBMVEUFCAMREg8aGxkhIyA6PDlkZmN1bJ+SjbCSlJGcmrCwsbC5tcvIycze3+Hw7/H9//xelZ5BAAABu0lEQVR4AZ3U7crcQAgF4MmomY/xeO7/butMdlta+ufNYVkl4IMBSeF/E3Pyh/lIEQCCfzJ7vJHCV2ttuH+12OWNhJUGHm6B5FpvJXcPtPu+txVku/2NFGsMDz5Oy54r+xdSrNZWA F8o1b1d/FxKYmEivtDESggvdhoJjRWxPpCfHWMxupn1gGWc3XyaISvZVU+XcXrvIGYUtuZjOJy+Mh4+HXutgF4qxbyI1gtWZy9lUivnpXpJWBb1WUQU3lG41mgNGPEcqCfY7kxKiimCYrTiJrOLGDUJcZruJyS7zV5meBRiv1b4cAJbSvhITCmHNaWpGltSE6hAFAyEVes9IrhlsjDaIw3Q5/LknhBWRUr3UmvtPFKXviUDM3ZlQM5q/Ej3vaVD5X97kpKK9Ukv1lWPJK6akn52ko4DafwlPdftG7 l3yDPBLdFKHAldRHZLveYuBwIf6Vx0oG0KxAda/0g4kkOq5LBIVdpVa3Gpic9HQg4izjLnkA4VZPQeJGGT3Tx/8zkicqpaZJuB7fgj0e97cGwqG3Bbb78F5w7vdHaak8GXEnGv5J4c67XEWBHrNxTvpSdYo613TOYXgZ5KQK6spScAAAAASUVORK5CYII=","violated-directive":"default-src http://dev.walterebert.com:80"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blockeduri":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEkAAAAyCAMAAAAnSAbsAAAAMFBMVEUJb5U3g6NVlrHnkiJ2qb/rp025vLqlxtTvunTJy8nzyJLY4uX44MPu8vL78OP9//xCc7hCAAACiElEQVR4Ae3X4ZKrKBAFYEC0g4dDv//bbjcYNLPJbqqcn3PuVRpKvrQxlZkJ+lv5k2Yowt+RcopRyN+QhBJTFvCuhASlSIrCm5JKppIqKeOmpAkqosqccFNyRnRQ9yQkjoI585akC dOUe5LMViThlqRxNpXzPensRBLvSbNCljsS86XMvCEhKzFvT+5ISXN619SQCBxLpJJHDX0TRo3x0hReJBYABAFYtfkJaoW+S5Ig+clKzsIXSYmylVJgx+blxu2DhByZRU9LcJU8JkF9ZNm2z5KKKISnLIIpKQpoB6h2wE5uAvoxACeUo/DGz5b5VHLKWfjm2SlndaaNvK7Vpq/fU2FMkwwAszy3PEb21vZLue7PDcIpIYYQRT05hJBfpLos67F9P8plebTH8phvlHBKBo39iFalq9R22zaij2WtXh h+Sm7hlGIOEb2llEySLEfr2SU9shra9WWpF0nJiyQpiBV2Nox2qEdC5L6se7W0U9KzpzNTkpCgEiN+Su2xLqunficBMYoJmT8lbdXjyneSKxKD6L+kEbvJLpnbfkh1r1dJJfqbjf+Qel9O1CG159Pd93aVkEIIwi5JCClbkkl17Vlsp3+evFqtv+q1Z69XKSaoSgxjyKSk2BOib/esdnXbjemp/tEf0qPa3T0lAuxnjInjPdmfXe1pfnEbE+/JJyNefPwugIxYl/ombX/UL39/MmIkQd/Fuvg/ibz 2BFC/zfz2hXIrVmyFqnZQNz3jV/RlC8bBoh7gVfL9sLCwWLZxmqGir2z2fww+O/71SZeGXIYE9h39bP6xBWprG3yJNud4FRT4CJTCsye72m/Mi759vLqPPpAFxyu4pEMy49kT//4C+j7/AAp/ttcmKUUDAAAAAElFTkSuQmCC","violated-directive":"default-src http://dev.walterebert.com:80"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blockeduri":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEkAAABECAMAAAD6M+gwAAAAwFBMVEXt7PDc29+Wj7LDv9ODfKWMhqyWkLOgm7p6dJ9wa5lnY5S3tsNZV4tMS4RLS4RLS4NMTIStrbnPz9Tx8fLp6eq8vcTCw8ioqrKytLuKjpmIjJeMkJucn6ianaafoqujpq5/hJCBhpKUmKKSlqCRlZ+Pk512fImFipWXm6SUmKF5f4t8go5udYJxeIVzeoZkbXpmb3xocX5rc39vd4Ntd YFgandrdIBbZnNTYG5JWWhOXWtQX21JWmhJWWdKWmj/// +KYSnGAAAGvklEQVR4AazSzW6jMBTF8bDOChPA+QgBB3CKGSZJq6wqnfd/q7k+IGxFnV1/uN1U+uvat5vv37L5xu/wpVtwXpyC6lRFLnLelMSSMebD0Bpcmqe3aEyKVZRlqRXX9nr9EAyGKK1Z8d9RWeoW7ey6MGv3p+tLU5dRk6X9cbEmOx+MqmxS1NRImZSmdOfSgrUQfR+1fYsWSKNRWbLWHg5yDvvgp2a7YrNAGb0qS41dHfNVt+/yBJm6+FxO+tyR0XmRyx9LRjmpmUuRHIutvWWAHCgZEYv CZ3WG2SUalqU6aBouO0HSdBlUa22ZIbcWiawnLZgtAZXKf5DCJXoAllxQU4nM1gWKxjMZugaJ9WTMyu6QHrwcVfSoLA0RJ2Sam3MZqnkrCmkD1ZDG9sSq2EpVgpbZPUs9DYP8eE0CLUkEuoaq6YxtiW1DW5xswNLk9asCapAmdlqQcVCObtCVhEVTa5ybgKU/3uQ/r8TG9WIHO496vNaDxMlAd9jxRZ3GrXb1bCmN4/hJvmgBy2YKxUkrZK6H8tF+uEIPCoU03aBhXMDS8/lF4/g1yihJ6vV9gsQM hxSopkmqvddC9/tsvriCCWsaWHo8gwKLfJSUtznJpFC8/9QhnaaDwqztiati6X6/P+4PGsrV8HzdcqUqJ7OOeztfvz/W0p0OJvWaaFUs/fXuswd/URj19ZL7v/gA4lM+X5UjOKpYS6v70mSQUXrKWbsSZfUf2eTT3CoOBPHlvKel2CG+2FgHV7FPMfvHLmlId/T9v9WOBgGv6k0lMKqIX3dLk1rbTf336aT3USnndQVZf9avnNKJdWajnnU6dVIyhEFWQglWjqK+lcR3TofX8wR+zf/vRjIK/Dsih TAxzmGecLc2M8zzdXrfnsvN6vm8LX/fxtvt8RjH6+Nnq076QtWHg4b+OjIMIldKJ8MI6QaZWB7v0vf9X3c71NL1/Y976bvfnuZyN+okkNgiYe7qYhaQlIAgVFtAS0R5pPSe7FDL9H4v9/L+p7stR70bCcR2QKMARjJPd4iE/ncwCOikXoSfJScz98f7hyE/ +v2evr7hpMqwIpTXjdSFEC1dXxLcFyppDDNioVpzXz/Lmv+UdV2/3YRuJHjvni5DBtnSzXmYgFlIlpfBiEqynmQsyMNMl/c8TqKjUCsPnXygnXjg2JHBSLCvjUQn1ZjLq8jQZTpKAbB5UrCy1FDTvGiKr7hgScwxIy0gXxnWAjkazSpn25IrhfTp0zMdsB+7c7HJwYsutHfeqG774YvdE7VNdftjG3DdXqcC4OtTgrWa7D5PTYn5FWNCXsAIYLEEvlgSUlJ4aFq4mjvGXYeKRnLOph0HkQmxRBZFG EaJjAJIjzBrHakrUGwLY5Fu3D3p7kmVaK5jH2M2UpcLYUwSUVRlmEMgy8UMs8RX3aIXaWfrUZ10zICyelrwsiEoQB+lzHwJKJfysXm6g8W28FVKqULtqrSR9njwKLRnGgpVZkowLCAxlFDduDp9sNBN7TqB4+683GeVmo3ESwEeQz9cYAtKZF/TlSIKe4aaburaBIBK7unaIJ3m2gXUfl+2SXHFfRzoAQ/S9unG2vf6u71clo7yLbBGNwaOSW6eToZW/uED1NMnmoD/NtCG4UE6ZxVNWnH2B2PPcq ZCC/nLFDRz3pz/ibqZRavmhfy/ +bJLUhyGgfCMAxkM+VoNF9L9b7VjKbM/7zysUsFyIn0ltSgXVDnl1Oze+w/IBgsC5MCoXBkbtK76sEWtWHYAePlSWEWSjDCLZUf5RpZ1urQVn+KFARncEfFmklFdIZpoeWUhCfdb6BAwqjh6rQzZXVOcOlmtkCsm3AIpWjA6sTN7J3WuRJHqRXQTQiE49jGuh45x+XYvzDH2i3GIfXz7igK5qBK4SSWG3RRV9bN+zR0zN617X9snJu65DCr6LKsqKBLLNSFCasku+bx95LzlF+ve8rpnSvbMx5yzy hOyg2pCTbIoW6uLpZH78ZH3kdvYcrDlcctPJF9zG7eSsED08ODUKWr+rWiP+rl6ePkrl11Uyy4FY3nX0sHhv8bbJGgOCve7LV/b81hdzVdO8mPbVjo65nzkzmndzD+K94CLWPaZWtxXHtqyhO9vA5f78ciB1SoYWTY+FSekKL67dWVqeZnhTGY+HeDg6JlScqMAu/ppUtURDgI5lqtxAeRxxWPnPiZVhI/x2MYBUsv9u5Um1dalVZRQ4J6BK7CgyyBqWxSLhhCyfkjEusPh5ViWO7xzl19Qucj9eL knTbhJJV1ZV/QTofOBKqvq6F1xLfhzKvy3J93bzvF32S+y3QFX1EqmJQAAAABJRU5ErkJggg==","violated-directive":"default-src http://dev.walterebert.com:80"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blocked-uri":"self","violated-directive":"inline script base restriction","source-file":"http://dev.walterebert.com/","script-sample":"ntif (typeof window.matchMedia === "unde...","line-number":266}} {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blocked-uri":"self","violated-directive":"inline script base restriction","source-file":"http://dev.walterebert.com/","script-sample":"n/* Modernizr 2.6.2 (Custom Build) | MIT...","line-number":274}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/img/logo2.svg","referrer":"http://dev.walterebert.com/","blocked-uri":"self","violated-directive":"inline style base restriction","source-file":"http://dev.walterebert.com/img/logo2.svg","script-sample":"fill:#007a00;stroke:none;"}} {"csp-report":{"document-uri":"http://dev.walterebert.com/","referrer":"","blocked-uri":"self","violated-directive":"inline script base restriction","source-file":"http://dev.walterebert.com/","script-sample":"try { for(var lastpass_iter=0; lastpass..."}}
  • 16. Direktiven default-src : Alle Ressourcen img-src : Bilder style-src : Stylesheets media-src : Audio + Video frame-src : iframes connect-src : AJAX, WebSockets, EventSource font-src : Schriften object-src : Flash, Java, usw.
  • 17. Keywords * : Alles erlauben 'none' : Nichts erlauben 'self ' : Nur Ursprungsdomain (nicht Subdomains) 'unsafe-inline' : Inline JavaScript + CSS 'unsafe-eval ' : JavaScript eval()
  • 18. Beispiele # Lokal + Inline CSS/JS + Data URI default-src 'self'; style-src 'unsafe-inline'; script-src 'unsafe-inline'; img-src data:; # Lokal + CDN default-src 'self' *.amazonaws.com; # Lokal + Bilder von Überall default-src 'self'; img-src: *; # Nur SSL default-src https:; # Explizite Freigaben default-src 'none'; style-src 'self'; script-src 'self'; img-src 'self';
  • 19. Browserunterschiede Firefox default-src 'self'; script-src 'unsafe-inline'; Chrome default-src 'self'; script-src 'self' 'unsafe-inline';
  • 20. $ curl -I http://walterebert.com HTTP/1.1 200 OK Date: Mon, 18 Nov 2013 19:38:14 GMT Server: Apache Cache-Control: max-age=0, no-cache Content-Security-Policy: default-src 'self'; img-src data: http: https: *.slidesharecdn.com *.slideshare.net; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; report-uri /cspreporter.php; Vary: Accept-Encoding Content-Type: text/html; charset=utf-8