Back To Schedule
Tuesday, January 27 • 11:00am - 12:00pm
Fixing XSS with Content Security Policy

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Cross-site scripting (XSS) has been dominating OWASP Top 10 for many years. Although input validation and output encoding are good traditional defenses against XSS, it is often difficult to ensure that they are used in all required places in large applications. Content Security Policy (CSP) is a promising new HTML5 feature that can help prevent traditional and DOM-based XSS on your website. If you keep dynamic data and static code separate, you can have conforming browsers enforce your CSP to ensure that the data never gets interpreted as code. The intricacies of the technology are in how CSP policies are combined and what limitations they place on web development.
The first version of CSP, which is supported by most modern browsers, requires complete separation of JavaScript (static code) from HTML (which contains dynamic data). This is not feasible for large existing web applications as it can require completely rewriting the user interface. CSP 1.1 introduces new keywords that can be used to apply policies to existing code bases without requiring a re-write from scratch. The talk will help the audience understand:
• What the differences between CSP 1.0 and CSP 1.1 are, and what these mean for web application developers?
• How CSP protects web applications from cross-site scripting?
• Whether input validation and output encoding are necessary if CSP is used properly.
• What is the different browser support for this technology?
• How you can get started with using CSP on your website?

avatar for Ksenia Dmitrieva

Ksenia Dmitrieva

Security Consultant, Cigital
Ksenia Dmitrieva is a Senior Security Consultant at Cigital with over six years of experience developing and securing web applications. Ksenia holds a M.S. in Computer Science from George Washington University. As a Senior Consultant, she performs penetration testing and code review... Read More →

Tuesday January 27, 2015 11:00am - 12:00pm PST
Annenberg Community Beach House: Track 3 415 Pacific Coast Hwy, Santa Monica, CA 90402

Attendees (1)