I spent today working on documentation for Content Security Policy. It’s not quite done yet, but I have written much of it. If someone would like to look it over, that would be fantastic, as that would let me get it finished up tomorrow.
- Introducing Content Security Policy
- Default CSP restrictions
- CSP policy directives
- Using Content Security Policy
I’ll be writing about CSP reports tomorrow.
If you’re not familiar with CSP, it’s a new technology that lets a site tell the browser from where content is allowed to be loaded. By using a known, carefully designed method for sharing information about legitimate domains from which to load content, the browser and server can work together to help mitigate a wide variety of attacks.
I’m not really a big security guy, but this is still pretty cool. You should look into it. The best part is that it gently falls back to working normally if either the web server or the browser doesn’t support CSP.