Browsers: What do they have in common (except maybe for being the “internet button”)? They can’t distinguish malicious content from benign. As this flaw had to be tackled, content security was introduced.
What cause content to become malicious?
Much of this malicious content can either be cross-site scripting (XSS) or clickjacking. Clickjacking, as the term suggests, is a form of hiding a hyperlink in another website’s clickable content. This way, the user is lured to actions he is unaware of and makes clicks he never intents. Cross-site scripting on the other hand, can prove a lot more dangerous as it accounts for 84% of security issues. Cross-site scripting falls into the category of code injection as the malicious person embeds content in the website and accesses all information under the umbrella of the legitimate site.
These two constitute the most common attackers of a website bypassing the same origin policy. This policy, is an important security aspect of the web world as its mechanism is that it links two web pages only if they share the same origin. In practice, that means that if someone injects malicious content in one web page it cannot access another page’s information.
What can I do as a beginner
1) Trust only scripts from the same source via HTTPS
2) Images loaded should come from a particular CDN
3) Frames or inline scripts should not be allowed
4) Only allow fonts from Google Fonts
Content security standard was first introduced in 2004 and has evolved accordingly ever since, with the majority of browsers complying with it.
Written by Apostolos Michailidis