A Content Security Policy is the best protection against one of the most malicious attacks on the Internet – supply chain attacks – and with increased awareness and adoption of CSP's by some of the largest sites online, you may be starting your own research into Content Security Policies.
Initial research into CSP’s leads to some common questions:
Answering these questions relies on being able to find a CSP on a site. The good news is, CSP's are not hidden configurations. By their nature, they are fully public and visible on the site via a few easy steps. We’ll be walking you through some of these options.
Keep in mind that CSP’s can be deployed in two distinct places:
Since a CSP can be deployed in both locations, you’ll want to look at both deployment options to find out whether a site is using a CSP. Let's get started.
OPTION #1: Use developer tools to find a CSP in a response header
Example (steps correspond to above list): Twitter - BlueTriangle
See the CSP in the response header if it is present. It will be titled "content-security-policy."
Option #2 - Use a 3rd party browser extension to find a CSP in the response header
There is a browser extension available in Chrome called “CSP Evaluator” that will automatically pull any CSP from the response header for the page, but not a CSP in a meta tag.
The tool can be found under the Chrome Extension Store: CSP Evaluator
This Chrome Extension works very well and can display the CSP and some insightful recommendations. Here is an example of it in action, tracking down the CSP on LinkedIn: LinkedIn - Blue Triangle
If you can’t locate a CSP in the page's response header using the methods above, don't give up! A Content Security Policy can also be deployed in a meta tag.
There are multiple reasons an organization may use a meta tag to insert their CSP. We’ll discuss the pros and cons of using a meta tag vs. response header for your CSP in a future Blue Triangle blog article.
OPTION #3: Use the page source to find a CSP in a meta tag
First, navigate to the page source.
Once the page source is shown, find out whether a CSP is present in a meta tag.
Site used: Staples
While there are other methods for finding a CSP on a site, these are some of the fastest and easiest ways to check and help with answering the questions in your initial research into CSP’s.
If you would like more information on how to build, deploy, and maintain a properly constructed CSP to prevent supply chain attacks, please reach out to us.
Here is an excellent research site for dealing with the entire specification of the CSP: World Wide Web Consortium - CSP Spec
Here are some Webinars if you'd like to expand the journey into CSP research:
All the Best,