33

How can Content Security Policy (CSP) significantly reduce the risk and impact of XSS attacks in modern browsers?

Is it possible to circumvent CSP in order to execute XSS?

Ali Ahmad
  • 4,784
  • 8
  • 35
  • 61
  • Have you done a web search on Consent Security Policy and XSS? There's a lot of information about CSP, that explains how it helps defend against XSS. We generally expect that you do some research on your own before asking on this site. – D.W. Jun 25 '13 at 23:38
  • 1
    I disagree. Google research often leads to this site though. Please ask good questions like this. – willem Feb 20 '18 at 15:33

2 Answers2

21

Yes, CSP goes a long way to defending against XSS. If you do a Google search on "Content Security Policy XSS" the first few links explain how and why.

If you're having trouble using Google, here are some good links to help explain how CSP defends against XSS:

The CSP policy is enforced by the browser. Therefore, assuming you have set a proper CSP policy, and assuming your browser doesn't have bugs, there is no way to bypass CSP. That's one of the attractions of CSP.

Note that some browsers (e.g., IE10 and earlier versions of IE, if I recall correctly) don't support CSP.

Be warned that CSP is not a silver bullet:

  • CSP does not stop DOM-based XSS (also known as client-side XSS) if you enable 'unsafe-eval' in your CSP policy. To prevent DOM-based XSS, you must write your Javascript carefully to avoid introducing such vulnerabilities.

  • CSP stops most forms of script injection, but it does not stop markup injection: see, e.g., Postcards from the post-XSS world as well as the HTML form injection attack from Section III-A of Self-Exfiltration: The Dangers of Browser-Enforced Information Flow Control (Chen et al, W2SP 2012). So, you still will want to avoid introducing injection bugs into your code.

See also A few things beyond the scope of Content Security Policy for more discussion of some problems that CSP doesn't solve.

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • 1
    Thanks, @dveditz! I've edited my answer accordingly. (I think my bias was to assume that if you start with a legacy website and add a CSP policy, odds are that you're going to enable 'unsafe-eval'. But you are absolutely right.) Thank you for helping make this a better answer! – D.W. Jul 19 '13 at 22:27
  • FYI: No version of IE properly supports CSP. IE11 (less sure about downlevel versions, but certainly nothing pre-9) supports the `sandbox` directive as a property on ` – CBHacking May 28 '18 at 07:27
3

CSP works by enforcing that certain content policies are placed upon scripts, e.g. "no external scripts", or "no inline scripts". This makes XSS a whole lot harder, because 99% of XSS cases involve inline scripts or references to off-site scripts. The only downside is that it pretty much forbids JavaScript entirely, and it can be very difficult to produce a JavaScript-enabled site that adheres to the CSP.

Bypassing may be possible, depending on the policy used and the type of vulnerability you have, but in general it's a pretty solid system. For sites with sensitive content and no JavaScript, I'd highly recommend setting a restrictive policy.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • 5
    I disagree with the "pretty much forbids JavaScript". It restricts JS to coming from known locations and it might require you to do more separation between your presentation and logic but certainly possible. Github is using CSP and they have plenty of JS, https://github.com/blog/1477-content-security-policy – jcopenha Jun 25 '13 at 17:31
  • 2
    CSP was designed to allow trusted JavaScript not to forbid JavaScript entirely. If you stick with modern best practices (e. g. no intervening of JS and HTML), very little or even no changes are required. – Hendrik Brummermann Jun 26 '13 at 06:52