Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not.
...
var db = openDatabase('mydb', '1.0', 'Test DB', 2 * 1024 * 1024);
...
'mydb'
can access it.script-src
, img-src
, object-src
, style_src
, font-src
, media-src
, frame-src
, connect-src
.*
to indicate all or part of the source. None of the directives are mandatory. Browsers will either allow all sources for an unlisted directive or will derive its value from the optional default-src
directive. Furthermore, the specification for this header has evolved over time. It was implemented as X-Content-Security-Policy
in Firefox until version 23 and in IE until version 10, and was implemented as X-Webkit-CSP
in Chrome until version 25. Both of the names are deprecated in favor of the now standard name Content Security Policy
. Given the number of directives, two deprecated alternate names, and the way multiple occurrences of the same header and repeated directives in a single header are treated, there is a high probability that a developer might misconfigure this header.unsafe-inline
or unsafe-eval
defeats the purpose of CSP.script-src
directive is set but no script nonce
is configured.frame-src
is set but no sandbox
is configured.django-csp
configuration uses unsafe-inline
and unsafe-eval
insecure directives to allow inline scripts and code evaluation:
...
MIDDLEWARE_CLASSES = (
...
'csp.middleware.CSPMiddleware',
...
)
...
CSP_DEFAULT_SRC = ("'self'", "'unsafe-inline'", "'unsafe-eval'", 'cdn.example.net')
...
script-src
img-src
object-src
style_src
font-src
media-src
frame-src
connect-src
default-src
directive. Furthermore, the specification for this header has evolved over time. It was implemented as X-Content-Security-Policy
in Firefox until version 23 and in IE until version 10, and was implemented as X-Webkit-CSP
in Chrome until version 25. Both of the names are deprecated in favor of the now standard name Content Security Policy. Given number of directives, two deprecated alternate names, and the way multiple occurrences of the same header and repeat directives in a single header are treated, there is a high probability that a developer might misconfigure this header.X-Frame-Options
header to instruct the browser whether the application should be framed. Disabling or not setting this header can lead to cross-frame related vulnerabilities.X-Frame-Options
header:
<http auto-config="true">
...
<headers>
...
<frame-options disabled="true"/>
</headers>
</http>
script-src
, img-src
, object-src
, style_src
, font-src
, media-src
, frame-src
, connect-src
. These 8 directives take a source list as a value that specifies domains the site is allowed to access for a feature covered by that directive. Developers can use a wildcard *
to indicate all or part of the source. Additional source list keywords such as 'unsafe-inline'
and 'unsafe-eval'
provide more granular control over script execution but are potentially harmful. None of the directives are mandatory. Browsers either allow all sources for an unlisted directive or derive its value from the optional default-src
directive. Furthermore, the specification for this header has evolved over time. It was implemented as X-Content-Security-Policy
in Firefox until version 23 and in IE until version 10, and was implemented as X-Webkit-CSP
in Chrome until version 25. Both of these names are deprecated in favor of the now standard name Content Security Policy
. Given the number of directives, two deprecated alternate names, and the way multiple occurrences of the same header and repeated directives in a single header are treated, there is a high probability that a developer can misconfigure this header.default-src
directive:
<http auto-config="true">
...
<headers>
...
<content-security-policy policy-directives="default-src '*'" />
</headers>
</http>
script-src
, img-src
, object-src
, style_src
, font-src
, media-src
, frame-src
, connect-src
. These 8 directives take a source list as a value that specifies domains the site is allowed to access for a feature covered by that directive. Developers can use a wildcard *
to indicate all or part of the source. Additional source list keywords such as 'unsafe-inline'
and 'unsafe-eval'
provide more granular control over script execution but are potentially harmful. None of the directives are mandatory. Browsers either allow all sources for an unlisted directive or derive its value from the optional default-src
directive. Furthermore, the specification for this header has evolved over time. It was implemented as X-Content-Security-Policy
in Firefox until version 23 and in IE until version 10, and was implemented as X-Webkit-CSP
in Chrome until version 25. Both of these names are deprecated in favor of the now standard name Content Security Policy
. Given the number of directives, two deprecated alternate names, and the way multiple occurrences of the same header and repeated directives in a single header are treated, there is a high probability that a developer can misconfigure this header.*-src
directive has been configured with an overly permissive policy such as *
Example 1: The following django-csp
setting sets an overly permissive and insecure default-src
directive:
...
MIDDLEWARE_CLASSES = (
...
'csp.middleware.CSPMiddleware',
...
)
...
CSP_DEFAULT_SRC = ("'self'", '*')
...
Access-Control-Allow-Origin
is defined. With this header, a Web server defines which other domains are allowed to access its domain using cross-origin requests. However, exercise caution when defining the header because an overly permissive CORS policy can enable a malicious application to inappropriately communicate with the victim application, which can lead to spoofing, data theft, relay, and other attacks.
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
*
as the value of the Access-Control-Allow-Origin
header indicates that the application's data is accessible to JavaScript running on any domain.Access-Control-Allow-Origin
is defined. With this header, a Web server defines which other domains are allowed to access its domain using cross-origin requests. However, exercise caution when defining the header because an overly permissive CORS policy can enable a malicious application to inappropriately communicate with the victim application, which can lead to spoofing, data theft, relay, and other attacks.
<websocket:handlers allowed-origins="*">
<websocket:mapping path="/myHandler" handler="myHandler" />
</websocket:handlers>
*
as the value of the Access-Control-Allow-Origin
header indicates that the application's data is accessible to JavaScript running on any domain.Access-Control-Allow-Origin
is defined. With this header, a Web server defines which other domains are allowed to access its domain using cross-origin requests. However, exercise caution when defining the header because an overly permissive CORS policy can enable a malicious application to inappropriately communicate with the victim application, which can lead to spoofing, data theft, relay, and other attacks.
<?php
header('Access-Control-Allow-Origin: *');
?>
*
as the value of the Access-Control-Allow-Origin
header indicates that the application's data is accessible to JavaScript running on any domain.Access-Control-Allow-Origin
is defined. With this header, a Web server defines which other domains are allowed to access its domain using cross-origin requests. However, exercise caution when defining the header because an overly permissive CORS policy can enable a malicious application to inappropriately communicate with the victim application, which can lead to spoofing, data theft, relay, and other attacks.
response.addHeader("Access-Control-Allow-Origin", "*")
*
as the value of the Access-Control-Allow-Origin
header indicates that the application's data is accessible to JavaScript running on any domain.Access-Control-Allow-Origin
is defined. With this header, a Web server defines which other domains are allowed to access its domain using cross-origin requests. However, exercise caution when defining the header because an overly permissive CORS policy can enable a malicious application to inappropriately communicate with the victim application, which can lead to spoofing, data theft, relay, and other attacks.
play.filters.cors {
pathPrefixes = ["/some/path", ...]
allowedOrigins = ["*"]
allowedHttpMethods = ["GET", "POST"]
allowedHttpHeaders = ["Accept"]
preflightMaxAge = 3 days
}
*
as the value of the Access-Control-Allow-Origin
header indicates that the application's data is accessible to JavaScript running on any domain.Access-Control-Allow-Origin
is defined. With this header, a Web server defines which other domains are allowed to access its domain using cross-origin requests. However, exercise caution when defining the header because an overly permissive CORS policy can enable a malicious application to inappropriately communicate with the victim application, which can lead to spoofing, data theft, relay, and other attacks.
Response.AddHeader "Access-Control-Allow-Origin", "*"
*
as the value of the Access-Control-Allow-Origin
header indicates that the application's data is accessible to JavaScript running on any domain.