In Ticket #10237 Denis De Bernardy suggested to implement the new Mozilla feature to prevent XSS. That was about 11 month ago. The ticket got my attention as well those days but I could not give it the thoughtfulness it desired. My first-approach-patch was rated as too restrictive (hey I like it strict :) ).
Just yesterday I had the ticket on follow-up. And what should I say? Two weeks ago, a CSP implementation as a wordpress plugin has been finished by web security engineer Brandon Sterne (bsterne) and it’s released for a first test.
CSP WordPress Plugin Image-Gallery
What is CSP?
X-Content-Security-Policy: allow 'self'; img-src *; \ object-src media1.com media2.com *.cdn.com; \ script-src trustedscripts.example.com
Sample X-Content-Security-Policy HTTP Header
Testdriving the CSP Plugin
Installing the plugin is as easy as with mostly any other wordpress plugin. Just click on Plugins -> Add New in your backend and search for Content Security Policy or CSP in short. You should find the Content Security Policy plugin in the result-list. Just press the Install link at the end of the entry and confirm by pressing Install Now in the upcoming dialog. After download and install, just activate it.
For the start, just press the Suggest Policy button. After some ajax activity, the Trusted Sites is filled with a default policy. When I saw that right it will analyse your posts and comments for that (at least for post no. 1) and offer a suggestion then. In my scenario that was images for everyone and script and styles limited to the local address. Just if you wonder, the blog is running on an IP address. That’s the one starting with 192.168… in the screenshots.
Those default suggestion was pleasing me (this is a very simple test-blog, I do not need any external scripts or CSS files) for the moment. To confirm the policy, just press the Save Changes button.
Fine grained Settings
But wait! I do not want to allow linked images. That will transfer users referer information to other servers and I’d like to add some privacy here (sort of misuse of CSP, but let’s take this as an example for the moment). This can be done by either clicking on the Everyone below Images which will strike-through it and the Save Changes button appears again. Pressing it will save the changes. After saving, it will remove that Everyone entry.
And now? What happened to images? In CSP there is a fallback to the main setting then. Click on Show Advanced to make the concrete setting visible. That is what has been generated by the plugins UI so far:
allow 'self'; script-src 'self' ; style-src 'self' ;
So by default, this is allow ‘self’ (the approach I went in my first patch only). So images do a fallback to that one then. In comparison, this is the “Advanced” policy setting with images allowed to everyone:
allow 'self'; img-src * ; script-src 'self' ; style-src 'self' ;Note: Do not forget to press the Enable CSP checkbox, otherwise this won’t be activated.
Note 2: Sometimes saving changes does not work with the plugin. Just counter-check by re-opening the admin-page via the menu and save again.
CSP is something very useful for your users. While it might not be supported by all your users browsers as of today, you as webmistress or -master should take care here and be one of the early adopters. The web is constantly evolving and security is a process everyone should take it’s part in.
This CSP Plugin is quite new but already useful even though it still has some flaws in it’s usability. In the end it does the job and is a nice way to learn about CSP.
- Content Security Policy Homepage (There: WordPress Plugin)
- CSP WordPress Plugin in the Repository
- Content Security Policy Specification Documents
- WordPress Ticket #10237 – Implement the new Mozilla feature to prevent XSS
- Content Security Policy – final call for comments in the mozilla.dev.security Newsgroup
- Mozilla tackles XSS vulnerabilities with new technology (ZDNet Blog Entry June 22, 2009)
Read on: Control your site’s usage in frames