Javascript whitelisting

After last post on browser based security, a few people asked how CSP works.

Basically, it is a contract between a web server and the client (i.e. the browser). The browser (being a client) is basically executing everything send to it by the web server. This is very risky when the web server is comprised (that is what happen when an attacker successfully launched a XSS attack to a website and added HTML codes)

Content Security Policy enable a web server to tell the client that it should not execute javascript files not coming from the same domain (or approved domain). This is done via communicating a white listing of domains in the HTTP header. As CSP is set in the header and generated by the web server, XSS attack and SQL injection (both are application level attacks) could not change HTTP header. The browser client follow CSP will not execute malicious javascript even if the HTML asked it to.

As CSP is implemented at the web server level, it is the web site administrator duty to enable this feature. Usually the programmer has no right to change production configuration of web server. The segregation of duty on one hand increase control on unauthorized changes, on the other hand make web server security an orphan.

 

 

 

 

 

 

 

 

 

This entry was posted in Uncategorized on by .

About antonyma

Engineering trained, Antony has the qualifications of CISA, Oracle DBA and BS7799 ISMS assessor. He also received a LLM in Intellectual Property & Information Technology Law from The University of Hong Kong. Founder of travel tech statup www.powerdata2go.com Antony was th Chairman of Professional Information Security Association (PISA) from 2009 to 2010. He also joined ISC2 workshop on developing a new cloud security certification. Current positions include: 1. Chairman of Cloud Security Alliance (Hong Kong & Macau Chapter) 2. Convenor of HK OGCIO Working Group on Cloud Security and Privacy 3. Hong Kong delegate to ISO SC 27 committee, which drafts security standards like ISO27001. email : antony.linkedin@gmail.com Specialties Retail Banking System & Process, IT Security, Copyright Law, Audit & Control, Technology Risk Management, Cloud Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s