{"id":1821,"date":"2025-05-29T16:03:20","date_gmt":"2025-05-29T16:03:20","guid":{"rendered":"https:\/\/shreyapohekar.com\/blogs\/?p=1821"},"modified":"2025-05-30T09:31:48","modified_gmt":"2025-05-30T09:31:48","slug":"content-security-policy-csp-a-key-mitigation-for-xss-and-clickjacking","status":"publish","type":"post","link":"https:\/\/shreyapohekar.com\/blogs\/content-security-policy-csp-a-key-mitigation-for-xss-and-clickjacking\/","title":{"rendered":"Content Security Policy (CSP): A Key Mitigation for XSS and Clickjacking"},"content":{"rendered":"\n

<\/p>\n\n\n\n

Content Security Policy (CSP) is a powerful browser mechanism designed to prevent and mitigate common web vulnerabilities such as Cross-Site Scripting (XSS) and Clickjacking. CSP allows developers to specify which sources of content are trusted by the application. This guide will walk you through how CSP works, and how to use it to protect against Clickjacking with frame-ancestors<\/code>. Real-world examples and practical tips are included to help you implement CSP securely.<\/p>\n\n\n\n

\n\n\n\n

Mitigating XSS with Content Security Policy<\/h2>\n\n\n\n

CSP headers control which scripts can be executed in the browser. By restricting script execution, you can block malicious scripts injected via XSS or SSTI.<\/p>\n\n\n\n

A basic CSP looks like following:<\/p>\n\n\n\n

Content-Security-Policy: default-src 'self'; script-src 'self';<\/code><\/pre>\n\n\n\n
What it means:<\/h3>\n\n\n\n
    \n
  • default-src 'self'<\/code><\/strong>
    This sets the default policy for all content types (like images, fonts, frames, etc.) to only load from the same origin<\/strong> as the site itself. 'self'<\/code> refers to the same domain that served the page.<\/li>\n\n\n\n
  • script-src 'self'<\/code><\/strong>
    This specifically restricts where JavaScript can be loaded from. In this case, scripts are only allowed from the same origin (no external JS libraries like CDN-hosted jQuery, for example).<\/li>\n<\/ul>\n\n\n\n
    This CSP policy blocks any attempt to load or execute scripts from untrusted sources<\/strong>, making it highly effective against cross-site scripting (XSS)<\/strong> attacks.<\/p>\n\n\n\n
    But this CSP is very strict and will not allow developers to execute JS that are needed to run the application. <\/p>\n\n\n\n
    However, you  may also come across poorly implemented CSPs<\/p>\n\n\n\n
    One of the core objectives of CSP<\/strong> is to prevent the execution of untrusted scripts<\/strong>, especially those injected by attackers via XSS. However, using the 'unsafe-inline'<\/code> directive in your CSP header essentially undoes this protection<\/strong>.<\/p>\n\n\n\n
    What 'unsafe-inline'<\/code> Does<\/h3>\n\n\n\n
    When you include 'unsafe-inline'<\/code> in your script-src<\/code> directive:<\/p>\n\n\n\n
    httpCopyEditContent-Security-Policy: script-src 'self' 'unsafe-inline';\n<\/code><\/pre>\n\n\n\n
    You are allowing:<\/p>\n\n\n\n
      \n
    • Inline <script><\/code> tags to execute freely.<\/li>\n\n\n\n
    • JavaScript inside HTML event handlers (onclick<\/code>, onmouseover<\/code>, etc.).<\/li>\n\n\n\n
    • Attacker-injected scripts (in many XSS cases) to run without restriction.<\/li>\n<\/ul>\n\n\n\n
      Allowing inline scripts means that:<\/p>\n\n\n\n
        \n
      • Any script injected into the page through an XSS vulnerability can still run<\/strong>.<\/li>\n\n\n\n
      • Your CSP no longer offers protection<\/strong> against script injection.<\/li>\n\n\n\n
      • The browser treats inline scripts as “trusted” regardless of where they come from.<\/li>\n<\/ul>\n\n\n\n
        In almost all real-world applications, there will be a need to execute certain scripts to allow for its smooth functioning. To permit the execution of specific inline JavaScript while maintaining a strong Content Security Policy (CSP), it’s advisable to avoid the use of ‘unsafe-inline’. Instead, consider the following more secure methods:<\/p>\n\n\n\n
          \n
        • Nonce<\/li>\n\n\n\n
        • Hashes<\/li>\n<\/ul>\n\n\n\n
          In Part 2, we’ll deep-dive on how to configure CSP for XSS mitigation using nonces and hashes<\/p>\n\n\n\n
          \n\n\n\n
          CSP to Prevent Clickjacking<\/h2>\n\n\n\n
          Clickjacking is an attack where users are tricked into clicking on something different from what they perceive, typically by overlaying a hidden iframe.<\/p>\n\n\n\n
          You can prevent clickjacking<\/strong> using Content Security Policy (CSP)<\/strong> by setting the frame-ancestors<\/code> directive. This directive specifies which origins are allowed to embed your site using <iframe><\/code>, <frame><\/code>, or <object><\/code> tags.<\/p>\n\n\n\n
          Use Cases of CSP for Clickjacking<\/h3>\n\n\n\n
            \n
          • Prevent clickjacking<\/li>\n\n\n\n
          • Allow trusted partners to embed your site<\/li>\n<\/ul>\n\n\n\n
            1. Completely Block Framing<\/h3>\n\n\n\n
            To prevent your site from being embedded in any iframe, set the frame-ancestors<\/code> directive to 'none'<\/code>:<\/p>\n\n\n\n
            Content-Security-Policy: frame-ancestors 'none';<\/code><\/pre>\n\n\n\n
            Effect:<\/strong><\/p>\n\n\n\n
              \n
            • Prevents any website from embedding your site in an iframe.<\/li>\n\n\n\n
            • If an attacker tries to embed your site for clickjacking purposes, the browser will block the iframe.<\/li>\n<\/ul>\n\n\n\n
              2. Allow Framing from Trusted Sources Only<\/h3>\n\n\n\n
              If you need to allow your site to be embedded only by specific trusted domains (e.g., your own domain), you can specify them like this:<\/p>\n\n\n\n
              Content-Security-Policy: frame-ancestors 'self' https:\/\/trusted-domain.com;<\/code><\/pre>\n\n\n\n
              Effect:<\/strong><\/p>\n\n\n\n
                \n
              • 'self'<\/code> allows embedding only from the same origin.<\/li>\n\n\n\n
              • https:\/\/trusted-domain.com<\/code> allows embedding from the specified trusted site only.<\/li>\n\n\n\n
              • Any other origin trying to embed the site will be blocked by the browser.<\/li>\n<\/ul>\n\n\n\n
                \n\n\n\n
                Example Scenario<\/h3>\n\n\n\n
                  \n
                1.  Clickjacking Attack Attempt:<\/strong><\/li>\n<\/ol>\n\n\n\n
                    \n
                  • Attacker creates a hidden iframe of your site and overlays invisible buttons.<\/li>\n\n\n\n
                  • Victim unknowingly clicks the hidden button while interacting with what looks like a legitimate interface.<\/li>\n<\/ul>\n\n\n\n
                    With CSP <\/strong>frame-ancestors 'none'<\/strong><\/code>:<\/strong><\/p>\n\n\n\n
                      \n
                    • Browser detects that the frame source is not allowed.<\/li>\n\n\n\n
                    • The iframe is blocked, and the attack fails.<\/li>\n<\/ul>\n\n\n\n
                      \n\n\n\n
                      Why CSP frame-ancestors<\/code> is Better Than X-Frame-Options<\/code><\/h3>\n\n\n\n
                      CSP frame-ancestors<\/code><\/th>X-Frame-Options<\/th><\/tr>
                      More flexible (can specify multiple trusted origins)<\/td>Only allows DENY<\/code>, SAMEORIGIN<\/code>, or one trusted URL<\/td><\/tr>
                      Part of modern CSP standard<\/td>Legacy header, less flexible<\/td><\/tr>
                      Allows defining different framing policies per page<\/td>Same policy for the whole site<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
                      \n\n\n\n
                      \n\n\n\n
                      To illustrate the difference between how Content Security Policy (CSP) and X-Frame-Options handle frame embedding, consider the following scenarios:<\/p>\n\n\n\n
                      1. X-Frame-Options Validation:<\/strong><\/p>\n\n\n\n
                      X-Frame-Options primarily validates the top-level frame, determining whether the content can be embedded based on the immediate parent frame’s origin.<\/p>\n\n\n\n
                      +-------------------+\n| Top-Level Frame   |  <-- Checked by X-Frame-Options\n| (example.com)     |\n|                   |\n| +---------------+ |\n| | Subframe      | |\n| | (attacker.com)|  <-- Not checked by X-Frame-Options\n| |               | |\n| | +-----------+ | |\n| | | Subframe  | | |\n| | | (victim.com)| |\n| | +-----------+ | |\n| +---------------+ |\n+-------------------+<\/code><\/pre>\n\n\n\n
                      In this structure, if victim.com<\/code> sets X-Frame-Options: SAMEORIGIN<\/code>, it prevents its content from being embedded directly by attacker.com<\/code> at the top level. However, attacker.com<\/code> can embed victim.com<\/code> within a subframe, as X-Frame-Options doesn’t validate beyond the top-level frame.<\/p>\n\n\n\n
                      2. CSP’s <\/strong>frame-ancestors<\/strong><\/code> Validation:<\/strong><\/p>\n\n\n\n
                      CSP’s frame-ancestors<\/code> directive validates the entire frame hierarchy, ensuring that all ancestor frames meet the specified policy.<\/p>\n\n\n\n
                      +-------------------+\n| Top-Level Frame   |  <-- Checked by CSP frame-ancestors\n| (example.com)     |\n|                   |\n| +---------------+ |\n| | Subframe      |  <-- Checked by CSP frame-ancestors\n| | (attacker.com)| |\n| |               | |\n| | +-----------+ | |\n| | | Subframe  |  <-- Checked by CSP frame-ancestors\n| | | (victim.com)| |\n| | +-----------+ | |\n| +---------------+ |\n+-------------------+<\/code><\/pre>\n\n\n\n
                      In this scenario, if victim.com<\/code> sets Content-Security-Policy: frame-ancestors 'self'<\/code>, it ensures that every ancestor frame in the hierarchy originates from victim.com<\/code>. Consequently, attacker.com<\/code> cannot embed victim.com<\/code> at any level within its frame structure, as it doesn’t satisfy the frame-ancestors<\/code> policy.<\/p>\n\n\n\n
                      This distinction highlights that while X-Frame-Options offers basic protection against framing by unauthorized top-level domains, CSP’s frame-ancestors<\/code> provides a more robust security measure by validating the entire chain of embedding, thereby offering enhanced protection against clickjacking and other framing attacks.<\/p>\n\n\n\n
                      Best Practice<\/h3>\n\n\n\n
                        \n
                      • Use frame-ancestors 'none'<\/code> unless you specifically need<\/strong> to allow trusted embedding.<\/li>\n\n\n\n
                      • Remove X-Frame-Options<\/code> if you’re already using CSP frame-ancestors<\/code> (since CSP overrides it).<\/li>\n<\/ul>\n\n\n\n
                        That’s all for this blog post. See you in part 2 where I will cover a detailed explanation of how nonce and hashes in CSP works and implemented.<\/p>\n\n\n\n
                        Until then, happy defending!!<\/p>\n\n\n\n
                        <\/p>\n","protected":false},"excerpt":{"rendered":"
                        Content Security Policy (CSP) is a powerful browser mechanism designed to prevent and mitigate common web vulnerabilities such as Cross-Site Scripting (XSS) and Clickjacking. CSP allows developers to specify which sources of content are trusted by the application. This guide will walk you through how CSP works, and how to use it to protect against […]<\/p>\n","protected":false},"author":1,"featured_media":1828,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[2,440,321,327,257],"tags":[445,447,446,441,8],"class_list":["post-1821","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-information-security","category-mitigations","category-owasp-top-10","category-source-code-review","category-web-application","tag-blue-teaming","tag-clickjacking","tag-csp","tag-defending","tag-xss","entry","has-media"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/1821"}],"collection":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/comments?post=1821"}],"version-history":[{"count":7,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/1821\/revisions"}],"predecessor-version":[{"id":1831,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/1821\/revisions\/1831"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media\/1828"}],"wp:attachment":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media?parent=1821"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/categories?post=1821"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/tags?post=1821"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}