The HTTP response header Content-Security-Policy allows the site to control which resources the user agent loads for a given page. Except in special cases, the policies set mainly involve specifying the source and script end points of the server. This will help stop cross-site scripting attacks
Documentation:The hyperlink login is visible.
This article describes the W3C's Content Security Policy, or CSP for short. As the name suggests, this specification is related to content security and is mainly used to define which resources a page can load and reduce the occurrence of XSS.
Early Chrome supported CSP via the X-WebKit-CSP response header, while firefox and IE supported X-Content-Security-Policy, and Chrome25 and Firefox23 began to support the standard Content-Security-Policy.
Sensitive information about web applications, such as usernames, passwords, machine names, and/or sensitive file locations, may be collected
Beginner users may be persuaded to provide sensitive information such as usernames, passwords, credit card numbers, social security numbers, etc
First, let's create a new project ASP.NET MVC, create a new js script, and dynamically load the js code of Baidu statistics, as follows:
As shown in the figure above, we can see the JS script code that has been successfully introduced into a third party (Baidu), if there is some malicious code in the third-party JS, such as stealing cookies, modifying content, jumping links, etc.
How can I stop the introduction of insecure third-party JS scripts?
Workaround
Response headAdd "Content-Security-Policy", for example:
directive | Example of instruction value | illustrate | default-src | 'self' cnd.a.com | Define the default loading policy for all types of resources (JS, IMAGE, CSS, WEB FONT, AJAX requests, iframes, multimedia, etc.), and use the default for certain types of resources if there is no separate defined policy. | script-src | 'self' js.a.com | Define a loading policy for JavaScript. | style-src | 'self' css.a.com | Define a loading policy for a style. | img-src | 'self' img.a.com | Define a loading policy for images. | connect-src | 'self' | Loading policies for requests from Ajax, WebSockets, etc. If not allowed, the browser simulates a response with a status of 400. | font-src | font.a.com | Loading policy for WebFont. | object-src | 'self' | <object><embed> <applet> Loading policies for plugins such as flash introduced for tags such as , or . | media-src | media.a.com | <audio> <video> Loading strategies for HTML multimedia introduced for tags such as or . | frame-src | 'self' | Loading policy for frames. | sandbox | allow-forms | Enable sandbox (similar to the sandbox property of an iframe) for the requested resource. | report-uri | /report-uri | Tell the browser which address to submit log information to if the requested resource is not allowed by the policy. Special: If you want the browser to only report logs and not block anything, you can use the Content-Security-Policy-Report-Only header instead. |
Let's modify the project's web.config file to add a custom response header as follows:
Rerun the project as shown below:
The browser successfully blocked the loading of third-party js scripts:
Refused to load the script 'https://hm.baidu.com/hm.js?6dbaac17dfeb2840b5b09d2dff6d2319' because it violates the following Content Security Policy directive: "script-src 'self' http://localhost:56888/ ". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
|
Posted on 6/11/2021 10:36:39 AM
|
|
|
|
Posted on 12/17/2021 10:38:43 PM
|
