AppSec California 2015

Cross-site scripting (XSS) has been dominating OWASP Top 10 for many years. Although input validation and output encoding are good traditional defenses against XSS, it is often difficult to ensure that they are used in all required places in large applications. Content Security Policy (CSP) is a promising new HTML5 feature that can help prevent traditional and DOM-based XSS on your website. If you keep dynamic data and static code separate, you can have conforming browsers enforce your CSP to ensure that the data never gets interpreted as code. The intricacies of the technology are in how CSP policies are combined and what limitations they place on web development.
The first version of CSP, which is supported by most modern browsers, requires complete separation of JavaScript (static code) from HTML (which contains dynamic data). This is not feasible for large existing web applications as it can require completely rewriting the user interface. CSP 1.1 introduces new keywords that can be used to apply policies to existing code bases without requiring a re-write from scratch. The talk will help the audience understand:
• What the differences between CSP 1.0 and CSP 1.1 are, and what these mean for web application developers?
• How CSP protects web applications from cross-site scripting?
• Whether input validation and output encoding are necessary if CSP is used properly.
• What is the different browser support for this technology?
• How you can get started with using CSP on your website?