Content Security Policy

Home Forums BulletProof Security Free Content Security Policy

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #8990
    silas88
    Participant

    Hi AiTpro,

    Have you looked at Content-Security-Policy headers?  As you may know they are intended to provide additional protection to attacks such as XSS…. http://www.w3.org/TR/2012/CR-CSP-20121115/

    I have spent a few hours on this and I still can’t get them to work without throwing up errors. 🙁 The problem I have is an inline b64 font in a css, and some complex source addresses fail to parse. Personally after playing with it for a while I have doubts if it will ever work with WP as javascript and fonts need to adhere to stringent requirements  otherwise the only way to get them to work is to use ‘unsafe-inline’ which defeats the whole purpose. Anyway, just wondering if you have looked at this and if you got any further than I did. Oh, by the way the is an abandoned WP Plugin called Content Security Policy – http://wordpress.org/plugins/content-security-policy/ that was written by one of the key folks behind this at Mozilla. Unfortunately it doesn’t seem to work on 3.6, it crashed FF on me a couple of time and my dev skills are not that advanced to debug it.
    This is the format…

    Header set Content-Security-Policy "default-src 'self'; \
     script-src 'self'; \
     font-src 'self' data; \
     connect-src 'self'"
    #9015
    AITpro Admin
    Keymaster

    Nope, I have not looked into CSP before, but when I have some spare time will take a look at this.

Viewing 2 posts - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.