Kryptronic Software Support Forum

You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.

Pages: 1

 

#1 07-03-2017 01:09:56

sdn
Member
From: UK
Registered: 05-29-2007
Posts: 882

Implementing Content Security Policy

It seems that websites should have a content security policy to make applications more secure against common web vulnerabilities, particularly cross-site scripting. It is enabled by setting the Content-Security-Policy HTTP response header.

There is info at https://csp.withgoogle.com/docs/adopting-csp.html

I installed the CSP Mitigator Chrome extension and found a number of issues. Are you working on this in K902?

The issues reported:

Fix: Refactor any markup with inline event handlers and javascript: URIs.

Refactor inline event handlers and javascript: URIs
Inline event handlers (onclick="...", onerror="...") and <a href="javascript:..."> links can be used to run scripts, so an attacker who finds an XSS bug could inject such HTML and execute malicious JavaScript. CSP requires refactoring such markup into safer alternatives.

In most cases the changes will be straightforward. To refactor event handlers, rewrite them to be added from a JavaScript block:

<script> function doThings() { ... } </script>
<span onclick="doThings();">A thing.</span>
should become:

<span id="things">A thing.</span>

<script nonce="${nonce}">
document.addEventListener('DOMContentReady', function () {
  document.getElementById('things')
    .addEventListener('click', function doThings() { ... });
});
</script>
For javascript: URIs, you can use a similar pattern:

<a href="javascript:linkClicked()">foo</a>
into

<a id="foo">foo</a>

<script nonce="${nonce}">
document.addEventListener('DOMContentReady', function () {
  document.getElementById('foo')
    .addEventListener('click', linkClicked);
});
</script>
Ideally, these scripts should be "outlined" into separate .js files; this gives you the benefit of being able to compile/lint such code.


Debugging information
FYI: No enforcing CSP header was detected in any of the analyzed content.
FYI: No report-only CSP header was detected in any of the analyzed content.
No CSP nonces were detected in any of the analyzed content. Most applications should use nonces to allow trusted scripts to execute.
No 'strict-dynamic' usage was detected in any of the analyzed content. You should consider using a strict CSP policy.

Last edited by sdn (07-03-2017 08:33:29)

Simon

Offline

 

#2 07-05-2017 09:46:22

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19871
Website

Re: Implementing Content Security Policy

I will definitely look into this.  9.0.2, which is pending release, uses a completely different security and session handling system from all previous software versions.  Looking into these items would complement all of that very nicely.  Perhaps in the next update.  We're using some inline JavaScript currently to speed up displays, but if we do start using CSP headers, that will need to be addressed.  Thanks for the post.

Nick Hendler

Offline

 

 

Pages: 1

Board footer