Introduction to Content Security for Beginners
Browsers: What do they have in common (except maybe for being the “internet button”)? They can’t distinguish malicious content from benign. As this flaw had to be tackled, content security was introduced.
What causes content to become malicious?
Much of this malicious content can either be cross-site scripting (XSS) or clickjacking. Clickjacking, as the term suggests, is a form of hiding a hyperlink in another website’s clickable content. This way, the user is lured to actions he is unaware of, makes clicks he never intended and potentially reveals valuable or even confidential information to the attacker.
Cross-site scripting on the other hand, can prove a lot more dangerous as it accounts for 84% of security issues. Cross-site scripting falls into the category of code injection, as the malicious person embeds content in the website and accesses all information under the umbrella of the legitimate site.
These two constitute the most common attackers of a website bypassing the same origin policy. This policy is an important security aspect of the web world, as its mechanism is that it links two web pages only if they share the same origin. In practice, that means that if someone injects malicious content in one web page it cannot access another page’s information.
What can I do as a beginner?
1) Trust only scripts from the same source via HTTPS
2) Images loaded should come from a particular CDN
3) Frames or inline scripts should not be allowed
4) Only allow fonts from Google Fonts
Content security policy standard was first introduced in 2004 and has evolved accordingly ever since, with the majority of browsers complying with it. It is a “must-have” tool particularly for online businesses that implement user accounts such as e-shops, banks or social media.