JavaScript Security

4.

Browser Security Policies and Features

4.1.

Content Security Policy (CSP)

4.1.1.

Purpose and Function

4.1.1.1.

Mitigating XSS and Data Injection

4.1.1.2.

Resource Loading Control

4.1.2.

Policy Delivery

4.1.2.1.

4.1.2.2.

4.1.2.3.

4.1.3.

Common Directives

4.1.3.1.

4.1.3.2.

4.1.3.3.

4.1.3.4.

4.1.3.5.

4.1.3.6.

frame-ancestors

4.1.3.7.

4.1.3.8.

4.1.3.9.

4.1.4.

Advanced Directives

4.1.4.1.

4.1.4.2.

4.1.4.3.

4.1.4.4.

4.1.4.5.

4.1.5.

Using Nonces and Hashes

4.1.5.1.

Generating Nonces

4.1.5.2.

Hashing Inline Scripts

4.1.5.3.

Dynamic Content Challenges

4.1.6.

Reporting Violations

4.1.6.1.

4.1.6.2.

4.1.6.3.

Violation Report Analysis

4.1.7.

4.1.7.1.

Benefits and Limitations

4.1.7.2.

Implementation Challenges

4.1.7.3.

Nonce-Based Policies

4.1.8.

CSP Bypasses and Limitations

4.1.8.1.

4.1.8.2.

AngularJS Bypasses

4.1.8.3.

Unsafe-eval Alternatives

4.2.

Subresource Integrity (SRI)

4.2.1.

Protecting Against Compromised CDNs

4.2.1.1.

Integrity Attribute in script and link

4.2.1.2.

Third-Party Resource Verification

4.2.2.

Generating and Using Integrity Hashes

4.2.2.1.

Hash Algorithms

4.2.2.2.

Updating Hashes for New Versions

4.2.2.3.

Multiple Hash Support

4.2.3.

SRI Limitations

4.2.3.1.

Dynamic Content Issues

4.2.3.2.

CORS Requirements

4.3.

Cross-Origin Resource Sharing (CORS)

4.3.1.

As a Security Feature

4.3.1.1.

Enabling Controlled Resource Sharing

4.3.1.2.

Relaxing Same-Origin Policy

4.3.2.

Secure Configuration

4.3.2.1.

Allowed Origins

4.3.2.2.

Allowed Methods and Headers

4.3.2.3.

Preflight Requests

4.3.2.4.

Credentials Handling

4.3.3.

CORS Misconfigurations

4.3.3.1.

Wildcard Origin Risks

4.3.3.2.

Null Origin Bypasses

4.3.3.3.

Subdomain Attacks

4.4.

4.4.1.

The sandbox Attribute for iframe

4.4.1.1.

Restricting Capabilities

4.4.1.2.

Enabling/Disabling Features

4.4.1.3.

4.4.2.

Isolating Untrusted Content

4.4.2.1.

Use Cases for Sandboxing

4.4.2.2.

Limitations and Bypasses

4.4.2.3.

Sandbox Escape Techniques

4.5.

Feature Policy and Permissions Policy

4.5.1.

Controlling Browser Features

4.5.2.

Policy Inheritance

4.5.3.

Security Implications

Previous

3. Defensive Coding and Mitigation Strategies

Go to top

Next

5. Server-Side Defenses for Client-Side Security