Conversation

Mike West

@mikewest

·

Mar 16, 2021

CSP is large and sprawling, but a "strict" subset of the policy language is _very_ effective at mitigating injection attacks (XSS).

@we1x

rolled that subset out at Google-scale, and walks through the mechanism in detail in https://web.dev/strict-csp/. It's worth your time to read.

Quote Tweet

Lukas Weichselbaum

@we1x

·

Mar 16, 2021

If you want to learn how to mitigate XSS with a strict CSP based on nonces or hashes read: https://web.dev/strict-csp/ The "strict" CSP approach: doesn't suffer from allow-list bypasses, doesn't need customisation and effectively reduces the attack surface of your app.

1

30

54

Mike West

@mikewest

·

Mar 16, 2021

This, of course, isn't new. https://mitigation.supply shows that ~15% of Chrome page views have at least one frame with a "strict" CSP, and ~10% of pages have at least one frame with a "better than strict" policy that avoids 'strict-dynamic'. Join the club! Defend your users.

1

3

Mike West

@mikewest

·

Mar 16, 2021

Also, keep in mind that the "better than strict" variant is the only option in WebKit, which doesn't support 'strict-dynamic' (https://bugs.webkit.org/show_bug.cgi?id=184031…). Such a policy is safer, but the deployment cliff is steeper. A staged approach that starts with "strict" is advisable.

2

2

Daniel Micay

@DanielMicay

Replying to

@mikewest

It's unfortunate that hash-source didn't support external scripts from the beginning. I'm used to working on sites where there's only static HTML which can be cached. I'd like to follow this advice rather than allowing 'self' but last time I checked browsers weren't ready for it.

4:32 PM · Mar 16, 2021·Twitter Web App

Mike West

@mikewest

·

Mar 16, 2021

Replying to

@DanielMicay

https://w3c.github.io/webappsec-csp/#external-hash… shipped in Chrome several years ago. It would indeed be lovely for that mechanism to be usable more widely, as it's quite secure (if brittle).