Skip to main content

Preventing XSS with Content-Security Policy

Average rating: *****
(5.00, 1 rating)

For years, the best method for preventing Cross-Site Scripting (XSS) has also been the only method – careful sanitization of user input. Unfortunately, sanitization is still largely a manual process. And despite better tools and better developer know-how, all it takes is one haphazard mistake to introduce an XSS vulnerability to your application. If history is any indication, it’s not a matter of “if” you’ll make such a mistake, but “when”.

Thankfully, there’s a new browser feature called Content-Security Policy that prevents web clients from executing untrusted JavaScript in an affected document. Already implemented in most modern web browsers, CSP makes it impossible to execute injected JavaScript code, effectively eliminating the XSS threat.

In this talk, you’ll first learn about common client-side programming mistakes that lead to XSS vulnerabilities – mistakes even the pros have made. Then you’ll learn about HTML5’s Content-Security Policy, how it prevents execution of injected code, and how to implement it in your web application. We’ll cover how to whitelist script files to only trusted sources, making your code CSP friendly, and backwards-compatible CSP headers for maximum browser compatibility.

Photo of Ben Vinegar

Ben Vinegar


Front-end Engineer at Disqus. Co-author, Third-party JavaScript.


For exhibition and sponsorship opportunities at Fluent conference, contact Sharon Cordesse at (707) 827-7065 or

Download the Fluent Sponsor/Exhibitor Prospectus

For information on trade opportunities with O'Reilly conferences contact Jaimey Walking Bear at mediapartners

View a complete list of Fluent 2013 contacts