We have previously discussed input validation and data sanitization for protection against XSS attacks, but there is another last line of defense we can employ, that is, using the content-security-policy
header.
This header allows us to declare resources (such as JavaScript files, images, and stylesheets) that can be served from trusted domains only. The most common CSP directives are as follows:
connect-src
: This specifies which origin the server is allowed to connect to (this applies to XHR requests, WebSockets, and EventSource)frame-src
: This specifies which origins can be embedded as framesimg-src
,media-src
,object-src
, andscript-src
: These define the origins from where images, media elements (audio and video), plugins (flash and others), stylesheets, and JavaScript files can be loaded
By default, the directives are open, which means the resources can be loaded from everywhere. This behavior...