A Content Security Policy is a new web standard meant to insulate websites or web applications from Cross-Site Scripting attacks (XSS). While we enforce that in our web applications code, this new standard is enforced by browsers themselves. This is much better.
So far, we’re retrofitting Apache-based sites with a header setting in .htaccess:
<IfModule> # eventual non-experimental header; less verbosely with default-src 'self'; Header set Content-Security-Policy: "allow 'self'; options inline-script;
default-src 'self'; # For Firefox 4+ & IE10 Header set X-Content-Security-Policy: "allow 'self'; options inline-script;
img-src 'self'; font-src 'self'; style-src 'self'; media-src 'self';
object-src 'self'; script-src 'self' # For Chrome & Safari (webkit based) Header set X-WebKit-CSP: "allow 'self'; options inline-script; img-src 'self';
font-src 'self'; style-src 'self'; media-src 'self'; object-src 'self'; script-src 'self' </IfModule>
Of course, not all browsers support this and indeed, for the time being supporting browsers use different experimental headers, as detailed in the .htaccess snippet above.
More reading:
The W3 Standard: Content Security Policy
http://linux.dashexamples.com/2011/08/adding-content-security-policy-csp-to-apache-virtual-hosts/
Mashq and Machine 
Leave a comment