CSP案例分析

参考资料

http://drops.wooyun.org/tips/1439
http://zone.wooyun.org/content/1310

基本概念

内容安全策略(Content Security Policy,简称CSP)是一种以可信白名单作机制,来限制网站中是否可以包含某来源内容。默认配置下不允许执行内联代码

(<script>块内容,内联事件,内联样式),以及禁止执行eval() , newFunction() , setTimeout([string], …) 和setInterval([string], …)

普及难度

参见zone里大神的讨论,

余弦 19:38:25
不过这个得有段时间了 也许2年?

superhei<0x@557.im> 19:38:39
20年都不行

那是12年的对话了,现在看来应该是20年都不行了。根据zoomeye14年2月份的统计国内1千万的域名(含子域名)中发现7个使用了CSP策略,其中还有3个网站CSP语法使用错误。剩下4个站点3个是知乎的。。。
看一下知乎的CSP策略:

2015年4月

Content-Security-Policy: default-src *; frame-src *.zhihu.com getpocket.com note.youdao.com; script-src *.zhihu.com *.google-analytics.com 'unsafe-eval'; style-src *.zhihu.com 'unsafe-inline'
Expires: Fri, 02 Jan 2000 00:00:00 GMT
Vary: Accept-Encoding
Pragma: no-cache
Cache-Control: private, no-store, max-age=0, no-cache, must-revalidate, post-check=0, pre-check=0
X-Frame-Options: DENY

2015年11月5日

Pragma: no-cache
Date: Thu, 05 Nov 2015 09:20:47 GMT
Content-Encoding: gzip
Server: zhihu_nginx
X-Frame-Options: DENY
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Cache-Control: no-store
Transfer-Encoding: chunked
Content-Security-Policy: default-src *; frame-src *.zhihu.com getpocket.com note.youdao.com; script-src *.zhihu.com *.google-analytics.com zhstatic.zhihu.com 'unsafe-eval'; style-src *.zhihu.com 'unsafe-inline'
Connection: keep-alive
 
200 OK

解读一下:
default-src ;默认可以加载任意域
frame-src .zhihu.com getpocket.com note.youdao.com; 白名单
script-src .zhihu.com .google-analytics.com ‘unsafe-eval’; 白名单,使用了unsafe-eval
style-src *.zhihu.com ‘unsafe-inline’ 白名单,使用了unsafe-inline

看到蘑菇街也加了CSP策略:
2015年4月

Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval' *.mogujie.com *.mogujie.com:8080 *.mogujie.cn *.mogucdn.com *.juangua.com *.mogujie.org *.xiaodian.com www.google-analytics.com ssl.google-analytics.com hm.baidu.com d.emarbox.com ssl.emarbox.com bdimg.share.baidu.com; report-uri http://ss.mogujie.com/csp/index
X-Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval' *.mogujie.com *.mogujie.com:8080 *.mogujie.cn *.mogucdn.com *.juangua.com *.mogujie.org *.xiaodian.com www.google-analytics.com ssl.google-analytics.com hm.baidu.com d.emarbox.com ssl.emarbox.com bdimg.share.baidu.com; report-uri http://ss.mogujie.com/csp/index
X-WebKit-CSP: script-src 'self' 'unsafe-inline' 'unsafe-eval' *.mogujie.com *.mogujie.com:8080 *.mogujie.cn *.mogucdn.com *.juangua.com *.mogujie.org *.xiaodian.com www.google-analytics.com ssl.google-analytics.com hm.baidu.com d.emarbox.com ssl.emarbox.com bdimg.share.baidu.com; report-uri http://ss.mogujie.com/csp/index

2015年11月5日

Pragma: no-cache
Date: Thu, 05 Nov 2015 09:24:24 GMT
Z-Proxy: qihe5161
Server: JuanNiuX/12.8.12
Vary: Accept-Encoding
Connection: keep-alive
Content-Type: text/html
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Transfer-Encoding: chunked
Backend: guomai31072
Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval' http://*.mogujie.com https://*.mogujie.com http://*.mogujie.com:8080 http://*.mogucdn.com https://*.mogucdn.com http://*.mogujie.cn https://*.mogujie.cn http://*.juangua.com https://*.juangua.com http://*.mogujie.org https://*.mogujie.org http://*.xiaodian.com https://*.xiaodian.com http://www.google-analytics.com https://ssl.google-analytics.com http://hm.baidu.com https://hm.baidu.com http://d.emarbox.com https://ssl.emarbox.com http://bdimg.share.baidu.com https://bdimg.share.baidu.com http://static.fraudmetrix.cn https://static.fraudmetrix.cn http://fp.fraudmetrix.cn https://fp.fraudmetrix.cn https://www.googleadservices.com http://www.googleadservices.com https://www.google-analytics.com http://www.google-analytics.com https://www.googletagmanager.com http://www.googletagmanager.com https://tagmanager.google.com http://tagmanager.google.com; report-uri http://ss.mogujie.com/csp/index
Z-Server: guomai31072
Content-Encoding: gzip
X-WebKit-CSP: script-src 'self' 'unsafe-inline' 'unsafe-eval' http://*.mogujie.com https://*.mogujie.com http://*.mogujie.com:8080 http://*.mogucdn.com https://*.mogucdn.com http://*.mogujie.cn https://*.mogujie.cn http://*.juangua.com https://*.juangua.com http://*.mogujie.org https://*.mogujie.org http://*.xiaodian.com https://*.xiaodian.com http://www.google-analytics.com https://ssl.google-analytics.com http://hm.baidu.com https://hm.baidu.com http://d.emarbox.com https://ssl.emarbox.com http://bdimg.share.baidu.com https://bdimg.share.baidu.com http://static.fraudmetrix.cn https://static.fraudmetrix.cn http://fp.fraudmetrix.cn https://fp.fraudmetrix.cn https://www.googleadservices.com http://www.googleadservices.com https://www.google-analytics.com http://www.google-analytics.com https://www.googletagmanager.com http://www.googletagmanager.com https://tagmanager.google.com http://tagmanager.google.com; report-uri http://ss.mogujie.com/csp/index
X-Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval' http://*.mogujie.com https://*.mogujie.com http://*.mogujie.com:8080 http://*.mogucdn.com https://*.mogucdn.com http://*.mogujie.cn https://*.mogujie.cn http://*.juangua.com https://*.juangua.com http://*.mogujie.org https://*.mogujie.org http://*.xiaodian.com https://*.xiaodian.com http://www.google-analytics.com https://ssl.google-analytics.com http://hm.baidu.com https://hm.baidu.com http://d.emarbox.com https://ssl.emarbox.com http://bdimg.share.baidu.com https://bdimg.share.baidu.com http://static.fraudmetrix.cn https://static.fraudmetrix.cn http://fp.fraudmetrix.cn https://fp.fraudmetrix.cn https://www.googleadservices.com http://www.googleadservices.com https://www.google-analytics.com http://www.google-analytics.com https://www.googletagmanager.com http://www.googletagmanager.com https://tagmanager.google.com http://tagmanager.google.com; report-uri http://ss.mogujie.com/csp/index
 
200 OK

使用了Content-Security-PolicyX-Content-Security-PolicyX-WebKit-CSP 为了兼容IE浏览器,知乎没有做IE浏览器兼容,比较任性。解读一下:

script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ .mogujie.com .mogujie.com:8080 .mogujie.cn .mogucdn.com .juangua.com .mogujie.org *.xiaodian.com www.google-analytics.com ssl.google-analytics.com hm.baidu.com d.emarbox.com ssl.emarbox.com bdimg.share.baidu.com;

白名单了很多地址,但是这里使用了unsafe-inline。使用unsafe-inline,CSP的效果就大大折扣,这也是因为业务上有时候会有不少inline的脚本。可以看到知乎已经经过改造,没有使用内联的脚本了。
内联脚本实在是太常见了。可见CSP任重道远。
刚刚在zoomeye搜了一下
csp3

还没有评论,快来抢沙发!

发表评论

  • 😉
  • 😐
  • 😡
  • 😈
  • 🙂
  • 😯
  • 🙁
  • 🙄
  • 😛
  • 😳
  • 😮
  • emoji-mrgree
  • 😆
  • 💡
  • 😀
  • 👿
  • 😥
  • 😎
  • ➡
  • 😕
  • ❓
  • ❗
  • 68 queries in 0.397 seconds