User:BWolff (WMF)/CSP/6
< User:BWolff (WMF) | CSP
CSP to the rescue
editCSP has a lot of options and features. But the main relevant idea is two things
- Disable inline javascript (including the onload html attribute we saw earlier, but also anything not in its own .js file).
- Have a whitelist of allowed domains for javascript (To disallow injecting
<script src="https://evil.com/evil.js"></script>
)
The idea is, that most injection type vulnerabilities like XSS rely on different systems confusing different types of data. The iframe issue we saw previously was caused by the system thinking the url ended at the double quote and everything after was html, where that's clearly not what the programmer meant. To fix that, CSP makes HTML not be allowed to contain JS except in separate files. Its impossible to get mixed up if the two things aren't allowed to be together.