Content Security Policy (CSP) is the mechanism to mitigate one of the most
popular web application issues called Cross-Site Scripting (XSS).
CSP is a declarative policy that allows application to inform the browser
about specific areas where application expects all resources to be loaded,
such as scripts and images.
In this presentation, we will talk about:
1. XSS. Very briefly because in 2013 pretty much everyone knows about this attack.
2. CSP. What risks this mechanism covers and what does not:
- CSP inside
- Browser support status and issues
- Policy definition mistakes and CSP common security considerations
- XSS without JS
3. Experience. How we implemented CSP on a service with an audience
more than 11 million users per week:
- Changes in servce
- Bugs in browser implementations
- Problems with 3rd party libraries
- Way from Report-Only to Block mode
Taras Ivashchenko - Information Security Officer at Yandex | | For a long time he focused on penetration tests (especially by PCI DSS standard), | but his main focus has always been on web application security | and web technologies in common. He is well known for his research (http://www.oxdef.info) in field | of web browser extension security risks and as contributor of w3af (http://w3af.org) project. | Taras was a... Read More →