JavaScript Security

  1. Browser Security Policies and Features
    1. Content Security Policy (CSP)
      1. Purpose and Function
        1. Mitigating XSS and Data Injection
          1. Resource Loading Control
          2. Policy Delivery
            1. HTTP Header
              1. Meta Tag
                1. JavaScript API
                2. Common Directives
                  1. default-src
                    1. script-src
                      1. style-src
                        1. img-src
                          1. connect-src
                            1. frame-ancestors
                              1. object-src
                                1. media-src
                                  1. font-src
                                  2. Advanced Directives
                                    1. base-uri
                                      1. form-action
                                        1. frame-src
                                          1. manifest-src
                                            1. worker-src
                                            2. Using Nonces and Hashes
                                              1. Generating Nonces
                                                1. Hashing Inline Scripts
                                                  1. Dynamic Content Challenges
                                                  2. Reporting Violations
                                                    1. report-uri
                                                      1. report-to
                                                        1. Violation Report Analysis
                                                        2. Strict CSP
                                                          1. Benefits and Limitations
                                                            1. Implementation Challenges
                                                              1. Nonce-Based Policies
                                                              2. CSP Bypasses and Limitations
                                                                1. JSONP Bypasses
                                                                  1. AngularJS Bypasses
                                                                    1. Unsafe-eval Alternatives
                                                                  2. Subresource Integrity (SRI)
                                                                    1. Protecting Against Compromised CDNs
                                                                      1. Third-Party Resource Verification
                                                                      2. Generating and Using Integrity Hashes
                                                                        1. Hash Algorithms
                                                                          1. Updating Hashes for New Versions
                                                                            1. Multiple Hash Support
                                                                            2. SRI Limitations
                                                                              1. Dynamic Content Issues
                                                                                1. CORS Requirements
                                                                              2. Cross-Origin Resource Sharing (CORS)
                                                                                1. As a Security Feature
                                                                                  1. Enabling Controlled Resource Sharing
                                                                                    1. Relaxing Same-Origin Policy
                                                                                    2. Secure Configuration
                                                                                      1. Allowed Origins
                                                                                        1. Allowed Methods and Headers
                                                                                          1. Preflight Requests
                                                                                            1. Credentials Handling
                                                                                            2. CORS Misconfigurations
                                                                                              1. Wildcard Origin Risks
                                                                                                1. Null Origin Bypasses
                                                                                                  1. Subdomain Attacks
                                                                                                2. Sandboxing
                                                                                                  1. The sandbox Attribute for iframe
                                                                                                    1. Restricting Capabilities
                                                                                                      1. Enabling/Disabling Features
                                                                                                        1. Sandbox Tokens
                                                                                                        2. Isolating Untrusted Content
                                                                                                          1. Use Cases for Sandboxing
                                                                                                            1. Limitations and Bypasses
                                                                                                              1. Sandbox Escape Techniques
                                                                                                            2. Feature Policy and Permissions Policy
                                                                                                              1. Controlling Browser Features
                                                                                                                1. Policy Inheritance
                                                                                                                  1. Security Implications

                                                                                                                Previous

                                                                                                                3. Defensive Coding and Mitigation Strategies

                                                                                                                Go to top

                                                                                                                Next

                                                                                                                5. Server-Side Defenses for Client-Side Security