• CSP is an extra security layer aiming to mitigate data injection, clickjacking and cross-site scripting attacks resulting from execution of malicious input in the trusted web page.
• It instructs the client browser from which location and/or which type of resources are allowed to be loaded, whitelisting sources of script, style, and other resources.
• To enable CSP, the web server has to be configured to return the Content-Security-Policy HTTP response header.
• If CSP is enabled, it means some Javascript code is limited (there are others too):
• <script>, DOM event handlers as HTML attributes (e.g. onclick)and javascript: links are blocked.
• The risk with CSP can have 2 main sources:
  • Policies misconfiguration
  • Non-restrictive policies

Mitigating XSS Attacks

• CSP has as primary objective to mitigate and report XSS attacks.
• XSS attacks exploit the browser's trust of the content received from the server.
• Malicious scripts are executed by the victim's browser because the browser trusts the source of the content.
• CSP specifies the domains that the browser should consider to be valid sources of executable scripts.
• A CSP compatible browser will only execute scripts loaded in source files received from those whitelisted domains.
• Sites can opt to completely disallow script execution.

Mitigating packet sniffing attacks

• The server can specify which protocols are allowed to be used
• Ideally, all content must be loaded using HTTPS.
• Security implementation: HTTPS for data transfer, marking all cookies with the secure flag and providing automatic redirects from HTTP pages to their HTTPS counterparts.
• Sites may also use the Strict-Transport-Security HTTP header to ensure that browsers connect to them only over an encrypted channel.

If a user logs into both example.com and example.org, the Same Origin Policy prevents example.com from making an AJAX request to ```example.org/secret_info`` and gaining access to the response. This is the default policy of the web and prevents the user's data from being leaked when logged into multiple sites at the same time.

CORS allows the Same Origin Policy to be relaxed for a domain. For example, test.org could set a policy to say it will allow the origin https://test.com to read responses made by AJAX. This is possible if both example.com and example.org are ran by the same company and data sharing between the origins is to be allowed in the user's browser. It only affects the client-side of things, not the server-side.

CSPs on the other hand set a policy of what content can run on the current site. For example, if JavaScript can be executed inline, CSP can defend against XSS attacks, where the attacker will try and inject script into the HTML page. CSP prevents in-line script from executing, the XSS attack is blocked.

w3af audit tools contain plugin to automatically audit web application to check if they correctly implement CSP policies.

• https://en.wikipedia.org/wiki/Content_Security_Policy
• https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
• https://www.owasp.org/index.php/Content_Security_Policy
• https://stackoverflow.com/questions/39488241/what-is-the-difference-between-cors-and-csps