by Yeimy F
The journal I read this week is about the current uncontrolled web browser environment. The journal explains how the current protection policy restricting content is the same-origin policy (SOP) which is embedded in browsers, but still accessible to attackers who are able to insert their script into the content by using “Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) for the purposes of information stealing, website defacement, malware planting, clickjacking, etc.” Since attackers are aware of Web Application vulnerabilities, they have developed dozens of high-profile attacks against websites. The journal goes on to explain how ideal it would be to develop Web Applications free from vulnerabilities but security is actually included in every layer. So the authors present another option called Content Security Policy (CSP) to secure Websites content in only one layer. “CSP is activated by a client’s browser…and the purpose of the policy is to specify which types of resources may be loaded and from where they may be requested; additionally, options can be specified that modify the strictness of enforcement.” Content Security Policy will allow website designers and server administrators to restrict the content and determine how it is going to interact on the website. It will be “effective to lock down sites and provide an early alert system for vulnerabilities on a website.” This policy is considered effective since the prototype implementation in Firefox and Mozilla Add-Ons provides the desired control over content used on a web site, increased security against XSS attacks, and clickjacking avoidance. Moreover, it is considered feasible because it does not require major expenses in the construction face, it can be adopted gradually and it will not interfere with the current web sites operation.
Since we are developing a website, it is useful to understand web sites vulnerabilities and how we can prevent attackers to inject their script into our applications. Another vulnerability the journal presents is that attackers can change the appearance of the style sheets which is considered an insignificant attack but it is still possible and we need to prepared to provide security to prevent such attack.
I chose this journal because it describes how this schema works step by step and the accomplishments by such implementation along with a detailed sample of the language used to implement it; and it also states the differences between similar approaches and how it can deployed by web sites.
Stamm, S., & Steme, B., & Markham, G. (2010). Reining in the web with content security policy. ACM,26/30, 921 -929. doi: 10.1145/1772690.1772784