Implementing Content Security Policy with CspBuilder wizard

2013-05-22 00:00:00 +0100

Exactly for this purpose I have written CspBuilder.info that consumes the Content Security Policy violation reports generated by browsers and turns them into a working CSP header. Using CSP report-only mode and CspBuilder it’s possible to build a working policy in a few iterations. How this works?

  1. Go to CspBuilder.info. Obtain your unique report URL (e.g. http://cspbuilder.info/report/4694844327589097317/) and policy analysis URL (e.g. http://cspbuilder.info/policy/4694844327589097317/). For convenience, the service will also provide a complete CSP header in its most restrictive form but report-only mode, so that nothing is blocked really.
  2. Place this header on your website and open it in a browser. Google Chrome is recommended because it has most mature CSP implementation of all browsers now on market. Firefox will not send reports to external pages, which kills the whole purpose of CspBuilder (see bug #847069).
  3. Go to your CSP policy analysis URL. You will see all received block reports and proposed new policy header. Copy it to your website and refresh your website, testing all pages and features. Repeat the process until you see no new CSP reports. </ol> CspBuilder greatly simplifies the whole process, but it won't be able to make all decisions for you. The builder will by default allow anything that was reported as blocked (or would be in enforcement mode). As result, you might end up with a policy that looks like this: 
    Content-Security-Policy-Report-Only: frame-src https://platform.twitter.com http://static.ak.facebook.com http://googleads.g.doubleclick.net http://block.opendns.com https://s-static.ak.facebook.com http://ib.adnxs.com http://w45.w101.w113.block.d.id.opendns.com http://platform.twitter.com http://w113.block.b.id.opendns.com https://plusone.google.com http://rtb-ads.avazu.net https://www.facebook.com http://block.a.id.opendns.com http://w101.w113.block.c.id.opendns.com http://www.facebook.com http://ad.adserverplus.com https://apis.google.com http://smartsuggestor.net http://w13.w45.w101.w113.block.e.id.opendns.com ; img-src https://ssl.gstatic.com http://ajax.googleapis.com http://translate.google.com http://smartsuggestor.net http://www.google-analytics.com 'self' http://www.google.com http://csi.gstatic.com http://pagead2.googlesyndication.com http://ssl.gstatic.com ; style-src http://translate.googleapis.com http://smartsuggestor.net 'unsafe-inline' 'self' ; report-uri /report/9018643792216450862/ ;
    Google, Facebook or Twitter should be allowed on any site that uses Google Analytics, AdSense or social plugins. But what are all these domains like opendns.com, rtb-ads.avazu.net, smartsuggestor.net, ad.adserverplus.com doing there? I guess they serve advertisements on behalf of Google AdSense, as part of specific client campaigns. Do you want to allow them? It's important decision you have to make.