This past weekend at the Devsigner Conference held in Portland, Oregon, Dylan Tack gave an excellent presentation entitled “Taking control of the Browser Security Model”:
Since the birth of the web, the browser security model has remained nearly static. Recent evolutions make it possible for site operators to fine-tune the security model, and enforce mandatory access controls. This session will focus on Content-Security-Policy, and other browser security features like Strict Transport Security and Public Key Pins.
47% of all web applications have a cross-site-scripting vulnerability, and this potential security flaw ranks in the top three classes of all vulnerabilities. [ White Hat Security, 2015 Website Security Statistics Report ]
A Content Security Policy is a systematic way to block these attacks, by whitelisting allowed sources of script, style, and other resources. The holy grail – blocking “unsafe-inline” code – offers the strongest defense, but can be a big surprise for front-end developers when inline scripts and styles stop working!
If you are developing for the web you need to take a look at his slide deck. If you have any questions, feel free to let let me know.