No More XSS - Deploying CSP with Nonces and Strict-Dynamic

Explore a comprehensive conference talk on implementing Content Security Policy (CSP) to prevent cross-site scripting (XSS) vulnerabilities. Learn about the evolution of CSP, focusing on version 3's strict-dynamic mechanism, which simplifies application to existing web pages without major refactoring. Discover how Pinterest and Instapaper successfully deployed strict CSP, including implementation tips and potential pitfalls. Gain insights into topics such as nonces, hashes, whitelisting, and JavaScript templates. Understand the deployment process, necessary code changes, and the benefits of report-only mode. Equip yourself with practical knowledge to enhance web application security and effectively combat XSS attacks.

Introduction
Agenda
Crosssite scripting
Templates and autoescape
No crosssite scripting
Content security policy
Domain whitelist
Object source base URI
HTML injection
Inline scripts
CSP nonces
What can go wrong
Hashes
Whitelisting
Strictdynamic
JavaScript templates
Deploying CSP
Easier to deploy
Code changes
Nonces
Change templates
Report only mode
CSP policy
Resources
Questions
Report URL