This test page demonstrates a security vulnerability where a page with iframes lacks a Content Security Policy (CSP), leaving it vulnerable to various attacks including XSS, clickjacking, and data injection.
Test Case
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Missing CSP - Pink Sock Test</title>
<link rel="stylesheet" href="../assets/style.css">
<!-- No Content Security Policy -->
</head>Explanation
Content Security Policy (CSP) is a critical defense-in-depth protection mechanism that helps mitigate many web vulnerabilities, particularly for pages that include iframes. Without a CSP, a page is vulnerable to:
- Cross-site scripting (XSS) attacks
- Clickjacking through malicious framing
- Injection of unauthorized content
- Data exfiltration through unintended connections
- Mixed content vulnerabilities
A robust CSP helps enforce the security boundaries between your content and other potentially untrusted content, including content loaded in iframes.
How Pink Sock detects this issue:
Pink Sock scans for CSP headers and meta tags on pages that include iframes. When no CSP is detected, it flags the issue as a medium-severity security vulnerability.
How to fix:
Implement a Content Security Policy either through HTTP headers or a meta tag:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'self'; frame-ancestors 'self'; script-src 'self'; style-src 'self';">Or via HTTP header:
Content-Security-Policy: default-src 'self'; frame-src 'self'; frame-ancestors 'self'; script-src 'self'; style-src 'self';The specific policy should be tailored to your application's needs, but should at minimum include directives like frame-src and frame-ancestors to control iframe content and embedding.
Additional Information
Key CSP Directives for IFrame Security
When implementing CSP, these directives are particularly important for iframe security:
| Directive | Purpose | Example |
|---|---|---|
| frame-src | Controls what URLs can be loaded in iframes | frame-src 'self' https://trusted-site.com; |
| frame-ancestors | Controls which sites can embed your page in frames | frame-ancestors 'self'; |
| child-src | Controls frame sources and workers (legacy) | child-src 'self'; |
| default-src | Fallback for other fetch directives | default-src 'self'; |
CSP Implementation Strategy
Consider this progressive approach to implementing CSP:
- Report-Only Mode: Start with CSP in report-only mode to identify potential issues:
Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-violations; - Basic Policy: Implement a simple policy focusing on critical protections
- Iterative Refinement: Gradually tighten the policy, addressing violations as they occur
- Strict Policy: Move to a comprehensive policy that follows the principle of least privilege
Legacy Browser Support
For broader compatibility, consider implementing both CSP and older security headers:
X-Frame-Optionsfor legacy frame embedding controlX-XSS-Protectionfor older browsers without full CSP supportX-Content-Type-Optionsto prevent MIME type sniffing