Hi - I've been working on a php class that implements CSP as an output filter on the web server before the content is ever sent to the requesting browser. That way browsers that don't support CSP still can have some measure of protection when a website decides to implement CSP (and utilizes my class).
The class homepage is here: http://www.clfsrpm.net/xss/ It's still highly experimental but it is both working as I need for the web app I'm developing (not live) and can be played with via a test page that has a textarea input that is (mostly) unfiltered straight into the DOM before being run through the output filter (I say mostly unfiltered because I use DOMDocument loadHTML() to eat the input and it does some minor filtering of it's own) http://www.clfsrpm.net/xss/dom_script_test.php There are currently a few things about CSP that I am a little confused about though - 1) if style-src does not contain the host the page is being served from, do in-line style need to be blocked? 2) Does the host expression list limit a wildcard to the beginning of a host expression? Obviously ending in a * (unless you intend to allow all hosts and just have a *) is kind of worthless, but does it allow, say, images.*.somewhere.net? Right now I assume that it does not. 3) Does CSP really block all event attributes? The wiki page doesn't cover event attributes, but the (seems to be a little out of date) http://people.mozilla.org/~bsterne/content-security-policy/details.html page states that "Script called using event-handling attributes is not executed". The way I'm handling that in my class is to blacklist all event attributes but allow a whitelist of event attributes that are allowed, however, any event attributes in the whitelist can only call functions without arguments. 4) It looks to me like frame-ancestors is something that can only be enforced client side. Is that correct? _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
