Browsers: What do they have in common (except maybe for being the “internet button”)? They can’t distinguish malicious content from benign. As this flaw had to be tackled, content security was introduced.
What causes content to become malicious?
Much of this malicious content can either be cross-site scripting (XSS) or clickjacking. Clickjacking, as the term suggests, is a form of hiding a hyperlink in another website’s clickable content. This way, the user is lured to actions he is unaware of, makes clicks he never intended and potentially reveals valuable or even confidential information to the attacker.
Cross-site scripting on the other hand, can prove a lot more dangerous as it accounts for 84% of security issues. Cross-site scripting falls into the category of code injection, as the malicious person embeds content in the website and accesses all information under the umbrella of the legitimate site.
These two constitute the most common attackers of a website bypassing the same origin policy. This policy is an important security aspect of the web world, as its mechanism is that it links two web pages only if they share the same origin. In practice, that means that if someone injects malicious content in one web page it cannot access another page’s information.
What can I do as a beginner?
This model ensures data confidentiality as the website owner provides secure, trusted and hence whitelisted sources of content and covers a wide array of types such as HTML5, JavaScript, CSS, images, audio files and many others. The Content Security Policy standard allows owners to predefine the content of their website whether it ‘d be inline scripts, or resources. Each page can have a standard security policy in order to minimise the damage in such cases where an attacker has already injected malicious content. For example, there are many ways the owner can specify which content is safe and hence which one can load in each page without problems. The most usual among those are:
1) Trust only scripts from the same source via HTTPS
2) Images loaded should come from a particular CDN
3) Frames or inline scripts should not be allowed
4) Only allow fonts from Google Fonts
Content security policy standard was first introduced in 2004 and has evolved accordingly ever since, with the majority of browsers complying with it. It is a “must-have” tool particularly for online businesses that implement user accounts such as e-shops, banks or social media.
