Implementing Mozilla’s Content Security Policy

I recently discovered this page, which describes Mozilla’s solution for prevention of XSS (Cross-Site Scripting) available as a Firefox Extension.  Here’s the HTTP response from my site:

hank@tardis:~$ wget -S
--2009-06-30 09:52:13--
Connecting to||:80... connected.
HTTP request sent, awaiting response...
 HTTP/1.1 200 OK
 Date: Tue, 30 Jun 2009 13:49:54 GMT
 Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a Phusion_Passenger/2.1.3
   mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/
 X-Powered-By: PHP/5.2.8
 Last-Modified: Tue, 30 Jun 2009 13:49:21 GMT
 X-Content-Security-Policy: allow self; img-src *; object-src * 
  *; script-src * *; style-src * *
 Content-Length: 57457
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html; charset=UTF-8

As you can see, my content security policy is sent as an HTTP header on all HTTP responses from my site.  I basically stole an example from this page.  I’ve attached it in the .htaccess file in my site’s root, before everything else in there, like so:

<IfModule mod_headers.c>
Header set X-Content-Security-Policy "allow self; img-src *; object-src * *; script-src * *; style-src * *"

I highly recommend everyone with commenting activated on their blog enable this, since XSS is a serious pain.  This seems to work very well on Site5, where mod_headers was simply enabled out of the box.

One thought on “Implementing Mozilla’s Content Security Policy

  1. Mukesh Rustagi

    If we apply the CSP at the webserver level, still is there any requirement to implement this in the application code to add the nonce etc.

Leave a Reply

Your email address will not be published. Required fields are marked *