On 11/1/16 6:36 AM, Roger Hågensen wrote:
Wait, are you saying that ContentSecurityPolicy can't be relied upon?
It depends on your threat model.
Content security policy is a tool that allows a web page to defend
itself and its users from cross-site script injection attacks and the
like. A fundamental assumption here is that the user is NOT the
attacker, and hence the user's browser is cooperating with the web page
to protect the user. It's a perfectly fine tool for the "user and page
author are cooperating" threat model.
If, on the other hand, your threat model includes attacks by the _user_
on your server, you absolutely can't rely on CSP to defend against that.
Most simply, the user can use a browser that doesn't support CSP. For
addressing this class of attacks, you _have_ to rely on a completely
server-side solution, because by assumption the client (the browser) is
the attacker in this situation.