Content Security Policy 1.0 (CSP) has advanced from the W3C Working Draft to the Candidate Recommendation level, which is another landmark for the ambitious project to prevent browser-based vulnerabilities like Cross-site scripting (XSS) attacks. With support from two major browser vendors, Mozilla and Google, it is going to be another important security measure in the coming days. Google has also enabled support for un-prefixed
Content-Security-Policy HTTP header. Moreover, the CSP 1.0 spec is available here.
What is Content-Security-Policy?
The CSP directs web browsers to execute and render resources only from whitelisted sources. Any other content will not be executed or rendered, which will avoid the XSS and similar types of attacks. A new HTTP Header,
Content-Security-Policy, would carry the information about trusted sources, like this:
Content-Security-Policy: script-src 'self' http://www.good-site.com
Image courtesy of Stuart Miles/ FreeDigitalPhotos.net