Browsers: What do they have in common (except maybe for being the “internet button”)? They can’t distinguish malicious content from benign. As this flaw had to be tackled, content security was introduced.

What cause content to become malicious?
Much of this malicious content can either be cross-site scripting (XSS) or clickjacking. Clickjacking, as the term suggests, is a form of hiding a hyperlink in another website’s clickable content. This way, the user is lured to actions he is unaware of and makes clicks he never intents. Cross-site scripting on the other hand, can prove a lot more dangerous as it accounts for 84% of security issues. Cross-site scripting falls into the category of code injection as the malicious person embeds content in the website and accesses all information under the umbrella of the legitimate site.

These two constitute the most common attackers of a website bypassing the same origin policy. This policy, is an important security aspect of the web world as its mechanism is that it links two web pages only if they share the same origin. In practice, that means that if someone injects malicious content in one web page it cannot access another page’s information.

What can I do as a beginner
This model ensures data confidentiality as the website owner provides secure, trusted and hence whitelisted sources of content and covers a wide array of types such as HTML5, JavaScript, CSS, images, audio files and many others. The Content Security Policy standard allows owners to predefine the content of their website whether it ‘d be inline scripts, or resources. Each page can have a standard security policy in order to minimise the damage in such cases where an attacker has already injected malicious content. For example, there are many ways the owner can specify which content is trusted and hence allowed to be loaded in each page. The most usual among those are:

1) Trust only scripts from the same source via HTTPS
2) Images loaded should come from a particular CDN
3) Frames or inline scripts should not be allowed
4) Only allow fonts from Google Fonts

Content security standard was first introduced in 2004 and has evolved accordingly ever since, with the majority of browsers complying with it.

Written by Apostolos Michailidis