Tuning My Content Security Policy

In my Getting Started With a Content Security Policy post, I setup a report only CSP policy so that I could try and identify things that could test out a policy before implementing it. It is time to parse through the results and see what needs to be updated in my deployed policy. The original policy was very simple

default-src https

Inspecting The Violations

I started trying to look at the current violations and I think it was clear that I had a rather permissive Content Security Policy because nothing much was being blocked.

violated-directive blocked-uri count
style-src-attr inline 2591
script-src-elem inline 1141
style-src-elem inline 367
img-src data 137
img-src https://blog.shellnetsecurity.com/wp-content/uploads/2020/12/cropped-Quinn-32×32.jpg 88
img-src https://blog.shellnetsecurity.com/wp-content/uploads/2020/12/cropped-Quinn-192×192.jpg 87
script-src eval 85
font-src data 68
img-src https://blog.shellnetsecurity.com/wp-content/uploads/2020/12/cropped-Quinn-180×180.jpg 57
default-src inline 22
script-src-attr inline 5
img-src https://blog.shellnetsecurity.com/wp-content/uploads/2020/12/cropped-Quinn.jpg 4
default-src data 1
csp data

I decided to change my policy to the following

default-src 'self'

and let the run for awhile before gathering more violation details like these

violated-directive scheme domain count
font-src https fonts.gstatic.com 889
style-src-attr None inline 183
script-src-elem None inline 171
default-src https fonts.gstatic.com 97
style-src-elem None inline 87
script-src-elem https adservice.google.com 81
script-src-elem https www.googletagmanager.com 79
script-src-elem https pagead2.googlesyndication.com 73
connect-src https www.google-analytics.com 71
frame-src https googleads.g.doubleclick.net 65
img-src https secure.gravatar.com 43
script-src-elem https connect.facebook.net 42
connect-src https pagead2.googlesyndication.com 40
default-src None inline 37
style-src-elem https fonts.googleapis.com 23
img-src https www.facebook.com 21

This gives us a better list to work with and understand what we need to handle.

Building the New Header

In looking at some of the results, I’m not personally concerned with images so I’ll allow those from any https

default-src 'self'; img-src https:; 

I know I have fonts loading from Google so we can also allow that next

default-src 'self'; img-src https:; font-src https://fonts.gstatic.com

The process continues until you finally have all of the known resources documented and the types of resource you plan to load until you have a final CSP. Once done, you should still continue with the reporting capability so that you can identify potentially new content on your site that should be allowed or worse yet malicious content that is trying to be introduced.

Resources

Here are some nice resources that can help you continue building your CSP as well