Pushing CSP to PROD: Case Study of a Real-World Content-Security Policy Implementation

Presented at AppSec USA 2013, Nov. 20, 2013, 3 p.m. (50 minutes).

Video of session: https://www.youtube.com/watch?v=9V64zQi2pX0&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=33 Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organizations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications.  In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you'll want should you decide to go down the same path.  When we initially decided to implement CSP, the BETA version of our website was already live.  Like many sites, our platform grew from something we initially started as a pet project.  Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun.   We'll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime.   Next, we'll discuss the basic techniques we used for converting all of our classic "in-line" JavaScript to comply with the strict CSP that we developed.  We'll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we'll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime.  Needless to say we were surprised by what was reported, and we'll share the results.   Our hope is that by telling our story to the world, we'll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we'll save you the trouble and dissuade you from even trying).

Presenters:

  • Brian Holyfield - Gotham Digital Science
    Brian is a founding member of Gotham Digital Science. He has over 10 years of experience performing penetration testing and code review. Brian is also the team lead for SendSafely, an browser based encrypted file exchange platform. Brian has spoken at numerous security conferences including BlackHat, RSA, AppSec USA, Source Boston and Shmoocon.
  • Erik Larsson
    Erik is a professional Java developer. In addition to writing code, Erik also consults with other developers on how to identify security flaws through code review and secure development patterns. Java Developer for SendSafely.com and Secure Development Consultant with Gotham Digital Science

Links:

Similar Presentations: