Preventing web browsers from doing what attackers tell them to
Content Security Policy
I first mentioned Content Security Policy back in April 2009 [4] as an experimental project. The good news is that WebKit-based browsers (Chrome and Safari), Gecko (Firefox, Thunderbird, and SeaMonkey) and Internet Explorer 10 have partial support [5]. If you want to use it, you'll need to specify three headers to be on the safe side: Content-Security-Policy
, X-Content-Security-Policy
, and X-WebKit-CSP
, which are used by various browsers and various versions.
If supported, however, the Content Security Policy supports extremely fine grained access permissions. You can specify from where resources like scripts, objects (plugins), stylesheets, images, media, frames, fonts, forms, and so on can be loaded and even specify a report-uri
that tells the web browser where to send information about policy violations. Thus, if a third-party website attempts to trigger a browser to loading protected content that is not permitted, you can in theory be informed by the client, which would allow you to track which sites are being used to attack you.
Conclusion
Unfortunately, most of these security headers are not widely used. For the top 1 million websites (according to Alexa), one report states that roughly 20,000 sites use the X-Frame-Options
header, about 4,000 use the Access-Control-
* headers, about 1,400 use the Strict Transport Security headers to enforce HTTPS, and approximately 100 use Content Security Policies [6]. Saying that these security headers are not widely used is an understatement. Obviously, better support in clients would help, but one area in which support for these headers seems to be really lacking is in most web applications and frameworks. Much like SELinux and other security policies, they'll remain a niche item until things hit a critical mass.
Infos
- Chromium STS: http://dev.chromium.org/sts
- The X-Frame-Options response header: https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
- HTTP access control: https://developer.mozilla.org/en/docs/HTTP/Access_control_CORS
- "Web Browser Security" by Kurt Seifried, Linux Pro Magazine, April 2009, pg. 64: http://www.linuxpromagazine.com/Issues/2009/101/Security-Lessons
- Content Security Policy: https://www.owasp.org/index.php/Content_Security_Policy
- Security Headers on Top 1,000,000 Websites: March 2013 Report: http://www.veracode.com/blog/2013/03/security-headers-on-the-top-1000000-websites-march-2013-report/
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
News
-
Elementary OS 5.1 Has Arrived
One of the most highly regarded Linux desktop distributions has released its next iteration.
-
Linux Mint 19.3 Will be Released by Christmas
The developers behind Linux Mint have announced 19.3 will be released by Christmas 2019.
-
Linux Kernel 5.4 Released
A number of new changes and improvements have reached the Linux kernel.
-
System76 To Design And Build Laptops In-House
In-house designed and built laptops coming from System76.
-
News and views on the GPU revolution in HPC and Big Data:
-
The PinePhone Pre-Order has Arrived
Anyone looking to finally get their hands on an early release of the PinePhone can do so as of November 15.
-
Microsoft Edge Coming to Linux
Microsoft is bringing it’s new Chromium-based Edge browser to Linux.
-
Open Invention Network Backs Gnome Project Against Patent Troll
OIN has deployed its legal team to find prior art.
-
Fedora 31 Released
The latest version of Fedora comes with new packages and libraries.
-
openSUSE OBS Can Now Build Windows WSL Images
openSUSE enables developers to build their own WSL distributions.