XSS Protection with Content Security Policy

Geoff Appleby

If unexpected inline JavaScript was added to a WYSIWYG field on your site, would you know? If one of your JavaScript dependencies were altered to harvest sensitive form data, could you prevent it?

Content Security Policy is a new layer in web security to protect your site and your users from security and privacy risks such as cross site scripting (XSS), content injection, and data exfiltration. The Content-Security-Policy module is able to leverage Drupal 8’s libraries system to make this tool more easily available to every Drupal site.

This session will cover:

The most prominent risks and the Content Security Policy options available to address them.
The current state of the Content Security Policy spec, and current browser support.
The legacy headers that Content Security Policy replaces.
How to safely implement and monitor the effectiveness of a policy.
The roadblocks current modules, frontend libraries, and third-party services present.
Further hardening techniques for complex sites.
Additional browser features for improving security and monitoring end-user issues on your site.
Useful for site builders and developers, attendees should walk away from this session with the core knowledge required to implement and monitor a Content Security Policy for their website.


Drupal is a registered trademark of Dries Buytaert.