CSP: protecting against XSS with script-src
Publish date: 2020-11-24
Last updated: 2020-11-25
Last updated: 2020-11-25
A defence-in-depth strategy for protection against xss is to use
the script-src
directive for your content security policy.
- self
- Only allow scripts from its own domain. This excludes subdomains.
Content-Security-Policy: script-src 'self';
- unsafe-inline
- If you want to allow inline JavaScript on the page, for example between
script
tags. - nonce-
- A nonce (number used once) returned from the server on each request.
- - A hash of the script, excluding enclosing html tags.
Recommended practice
To allow inline scripts, it is easy and effective to use the nonce technique. Limiting scripts to safe inline scripts and scripts from your own domain is a good start.
Content-Security-Policy: script-src: 'self' nonce-<my-random-nonce-goes-here>
<script nonce=<my-random-nonce-goes-here>>
alert('donkey')
</script>
If you are loading scripts from a different subdomain, you need to add this. Also scripts from CDN’s and third-parties need to be explicitly added.
Third-party scripts should also use subresource integrity to make sure the content cannot be changed after you included it, for example if the provider you are loading them from is compromised.