Preventing web browsers from doing what attackers tell them to

Content Security Policy

I first mentioned Content Security Policy back in April 2009 [4] as an experimental project. The good news is that WebKit-based browsers (Chrome and Safari), Gecko (Firefox, Thunderbird, and SeaMonkey) and Internet Explorer 10 have partial support [5]. If you want to use it, you'll need to specify three headers to be on the safe side: Content-Security-Policy, X-Content-Security-Policy, and X-WebKit-CSP, which are used by various browsers and various versions.

If supported, however, the Content Security Policy supports extremely fine grained access permissions. You can specify from where resources like scripts, objects (plugins), stylesheets, images, media, frames, fonts, forms, and so on can be loaded and even specify a report-uri that tells the web browser where to send information about policy violations. Thus, if a third-party website attempts to trigger a browser to loading protected content that is not permitted, you can in theory be informed by the client, which would allow you to track which sites are being used to attack you.


Unfortunately, most of these security headers are not widely used. For the top 1 million websites (according to Alexa), one report states that roughly 20,000 sites use the X-Frame-Options header, about 4,000 use the Access-Control-* headers, about 1,400 use the Strict Transport Security headers to enforce HTTPS, and approximately 100 use Content Security Policies [6]. Saying that these security headers are not widely used is an understatement. Obviously, better support in clients would help, but one area in which support for these headers seems to be really lacking is in most web applications and frameworks. Much like SELinux and other security policies, they'll remain a niche item until things hit a critical mass.


  1. Chromium STS:
  2. The X-Frame-Options response header:
  3. HTTP access control:
  4. "Web Browser Security" by Kurt Seifried, Linux Pro Magazine, April 2009, pg. 64:
  5. Content Security Policy:
  6. Security Headers on Top 1,000,000 Websites: March 2013 Report:

The Author

Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He often wonders how it is that technology works on a large scale but often fails on a small scale.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Security Lessons

    Learn more about protecting your website with NoScript, ModSecurity, and Site Security Policy.

  • Security Lessons

    Sometimes, even ING, YouTube, The New York Times, and Google get it wrong.

  • Perl: Spotify

    For a monthly fee, the Spotify streaming service beams music onto your desktop or phone. To intensify the groove, Perlmeister Mike Schilli archived his Spotify playlists for eternity using an OAuth-protected web API.

  • Web Filters

    Content filters protect a web user’s privacy and keep the flood of unsolicited advertising at bay. We’ll show you a pair of popular Open Source content filters.

  • Security Lessons: HTML5

    New web technologies address shortcomings in web browsers but create new problems as well.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95