CODEWITHSUNDEEP
browserservercontent-security-policy
Dima Tisnek
Dima Tisnek

Reputation: 11781

How to detect if browser supports CSP on the server?

I have a server helper.com that serves responses to GET requests with custom CSP, e.g.:

Content-Security-Policy: default-src 'self'; frame-ancestors https://my.com;

The idea is that only my.com can include the widget from helper.com.

This works fine in modern browsers (Chrome, Safari, Firefox).

The question is, how can I reliably exclude browsers that don't support CSP?

That is all the IE family (?), very old versions of good browsers, legacy browsers, even NN if someone happens to use it?

The technical reason is that if the user has a session cookie on helper.com, I plan to serve user's confidential information and I'm worried about cases where someone uses e.g. IE, is logged in, and some hackers will create hacker.com that tries to fetch stuff from helper.com via ajax or script tag or font resource or image to canvas and steal user's confidential data.

In sort, if I serve CSP, I want to be sure it will be applied by the browser.

Upvotes: 1

Views: 718

Answers (2)

ashwinik001
ashwinik001

Reputation: 5163

What I would have done is the set of following steps:

  1. Generally browsers send user-agent on the request headers. And There is no way to change the user-agent header sent by the browser from client side code. So, I would have used that value on web server side in order to decide which browser I am dealing with. ref: understanding user-agent
  2. Then based on the browser and CSP headers compatibility matrix I would have known if I should allow/disallow this browser. Off course I know exactly which CSP headers support I require for my website.
  3. For the disallowed browsers I would serve the browser-not-supported.html to say or for others I would have proceeded further.
  4. I would have also added some trivial JS code in my index.html or other html pages in order to not make requests if this browser is not supporting the exact CSP headers, which I need for my site.
  5. Also, I would have added the old browsers compatible headers on my http response like X-Frame-Options "SAMEORIGIN" which will serve our specific purpose in case the browser does not honor/understand the CSP headers.

Upvotes: 1

Stephen R
Stephen R

Reputation: 3907

This isn’t really what CSP does. CSP doesn’t protect the site from malicious users; it protects users from compromised web sites. Your best bet is some form of server authentication to determine whether you serve up the data or not. But that isn’t a matter of CSP

Upvotes: 0

Related Questions