Content Security Policy reaches W3C Candidate Recommendation level

Content Security Policy 1.0 (CSP) has advanced from the W3C Working Draft to the Candidate Recommendation level, which is another landmark for the ambitious project to prevent browser-based vulnerabilities like Cross-site scripting (XSS) attacks. With support from two major browser vendors, Mozilla and Google, it is going to be another important security measure in the coming days. Google has also enabled support for un-prefixed Content-Security-Policy HTTP header. Moreover, the CSP 1.0 spec is available here.

What is Content-Security-Policy?

security

The CSP directs web browsers to execute and render resources only from whitelisted sources. Any other content will not be executed or rendered, which will avoid the XSS and similar types of attacks. A new HTTP Header, Content-Security-Policy, would carry the information about trusted sources, like this:

Content-Security-Policy: script-src 'self' http://www.good-site.com

This trusted source restriction is not just for JavaScript, but applies to different types of resources as well including frames, images, plugin objects, web fonts etc. This will eliminate risks like script injection and session hijacking. Chrome team has imposed CSP on the extensions as well. This article on HTML5Rocks.com explains CSP in depth.

  Image courtesy of Stuart Miles/ FreeDigitalPhotos.net