“When it comes to CSP, just about any policy is better than none” - Sobelow’s documentation
There’s a 2016 paper out of Google that found most sites CSP policies don’t work, https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/45542.pdf
worth reading if you’re interested in the subject
Oh, thanks. I do find security things both fascinating and scary; sometimes I teeter on the edge of despairing that it’s all too complicated and one slip will make all the efforts pointless.
On first read I get
- Don’t use Angular (kind of ironic from a Google paper)
- Definitely steer clear of JSONP.
'unsafe-inline'is bad. (Also
unsafe-eval). The “unsafe” part is a bit of a hint.
- Unsafe domains are a thing to consider, if I wanted to use 3rd party analytics or something.
Nice manual! It fills the niche of “how to publish a CSP header in Phoenix”, while for other platforms Node.js, Wordpress, etc there is a lot articles.
It is only more correct to link to the official source Content Security Policy (CSP) - HTTP | MDN, since
content-security-policy.com is an outdated site with incorrect information. For instance the wrong
script-src 'nonce-r@nd0m' is shown right on the main page - the @ character is not allowed in the ‘nonce-value’.
2016 paper out of Google refered below is not actual.
In 2016 IE had 30% of the market but did not support CSP. Other browsers, except for Chrome, were supported CSP very poorly too.
'unsafe-inline' and some also required
Popular site engines (CMS) also required rework in their scripts and styles.
Now things changed and Content Security Policy has become a de facto “must have” standard - every browser extension or web app must have it.
Security requirements have increased, Chrome extensions do not allow
'unsafe-inline' at all, Firefox extensions with a policy that use
'unsafe-inline' keywords, allowing loading of external scripts and resources, as well as
blob: files, are not allowed for extensions listed on
addons.mozilla.org due to major security issues.
The situation is somewhat complicated by Safari browser, which is stuck at the CSP2 level.
Nonetheless all serious sites that work with personal data (Twitter, Facebook, Google, …) or money transfers (Paypal, etc.). have a CSP.
In addition to XSS attacks, CSP protects against ads substitution and injecting third-party ads, and prevents users from being tracked on the Internet.
So your article is very relevant for ordinary webmasters as well.
PS: To the principle “When it comes to CSP, just about any policy is better than none” from Sobelow’s documentation, I can add: “safety is never enough”.
Thanks! I’ve updated the post to link only to the MDN documentation.
Thanks for the fantastic article. It helped me fix a production bug where LiveView was refreshing every 10 or 15 seconds!