What is Content Security Policy?
Until the advent of Content Security Policy (CSP), it was extremely difficult to protect your website’s visitors from the injection of malicious code that could place unwanted links on your web pages, hijack complete sessions or even cause corruption of your website itself.
What makes matters worse is that in the absence of any reporting mechanism, it is very difficult to know when these types of attack are occurring.
To address these threats, in late 2015, the W3C issued Content Security Policy 1.0 as a first response and followed up with 2.0 in December 2016.
At the core of CSP is a simple concept: using standard headers, a website is able to instruct the browser what it is authorised to execute and what it must block. With these simple instructions, the issues outlined above are severely negated.
What is its purpose?
CSP mitigates two of OWASP’s top ten most critical web application security threats: A1 Content Injection and A3 XSS (cross site scripting). These threats cover a broad range of injection vulnerabilities and through the use of a simple declarative set of policy rules, CSP enables web application authors and administrators to regain control over what is and what is not loaded by a browser when visiting your website.
How does it help in web performance?
CSP delivers clear web security benefits but when considered from a performance perspective, it can also contribute significantly to strong governance.
This is because many websites implement a wide range of third-party extensions on their website to enhance user experience and/or increase revenue.
The ability to set and achieve web performance objectives depends on knowing exactly what components are being loaded. The problem with third-party extensions is that the responsibility for their control often resides across different departments and individuals within an organisation (an issue we often encounter in third-party tag reviews). Consequently, new extensions can be incorporated into web page content with almost no governance applied to ensure compatibility with web performance objectives.
CSP can resolve this issue by ensuring that only authorised third parties are allowed to contribute to web page content.
In this way, accountability for web performance can be assigned and a degree of change control process enforced, resulting in improved governance.
Is CSP a viable technology?
With W3C only formalising CSP standards in the last 18 months, there has been a quick uptake by browser vendors to ensure that their products support this important technology.
With almost every major browser, with the exception of Opera Mini, supporting CSP 1.0, significant improvements to both web performance and web security are possible with a single set of changes.
However, the reality is that few websites have adopted this important and easy to implement technology. According to the website profiling company BuiltWith, take-up across the Internet is just 0.2%, leaving large numbers of websites and visitors at risk.
CSP 1.0 Browser adoption from caniuse.com
The importance of web performance governance
The barriers to creating a fast, reliable website are just as often organisational as they are technical. Part of my role is to help companies improve their management of web performance, building a coherent performance strategy that integrates seamlessly with the rest of the business. CSP is just one tool in the box, but it’s one that should help pull together the different strands of performance, security, marketing and ecommerce.