Difference between revisions of "Content Security Policy"
From MgmtWiki
(→Solutions) |
(→References) |
||
| (One intermediate revision by the same user not shown) | |||
| Line 6: | Line 6: | ||
==Problems== | ==Problems== | ||
| + | Cross-site scripting (XSS) attacks, for example, bypass the same origin policy by tricking a site into delivering malicious code along with the intended content. This is a huge problem, as browsers trust all of the code that shows up on a page as being legitimately part of that page’s security origin. | ||
| + | |||
==Solutions== | ==Solutions== | ||
* [https://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy] | * [https://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy] | ||
| Line 14: | Line 16: | ||
*[[Trusted Location]] | *[[Trusted Location]] | ||
| − | [[Category:Glossary]] | + | [[Category: Glossary]] |
| + | [[Category: Policy]] | ||
Latest revision as of 09:04, 7 October 2022
Full Title or Meme
Content Security Policy is a mechanism designed to make applications more secure against common web vulnerabilities, particularly cross-site scripting. It is enabled by setting the Content-Security-Policy HTTP response header.
Context
- As a part of having a Trusted Identity in Cyberspace a series of Framework Profiles have been created to allow digital Entities to give users a statement about the policies that they support.
Problems
Cross-site scripting (XSS) attacks, for example, bypass the same origin policy by tricking a site into delivering malicious code along with the intended content. This is a huge problem, as browsers trust all of the code that shows up on a page as being legitimately part of that page’s security origin.
Solutions
References
- On "with google" Content Security Policy
- OWASP presentations So we broke all CSPs and what happened next.
- Trusted Location
