The content security policy is an initiative that is upheld by the W3C (web application security) group in order to ensure a safer browsing experience for all users and to likewise protect website owners and businesses from malicious attacks. In this post, we will examine more closely what CSP is and how it works, as well as looking at precisely what a web application is, how it operate and why a company may wish to use one for its marketing.
The Content Security Policy or CSP is a computer security standard that has been introduced across the web in order to try and stop cross-site scripting, code injection attacks and clickjacking. These activities can all be the result of malicious content being executed on a trusted web page and can end up harming the user.
CSP is suggested by the W3C working group for Web Application Security and it has been supported by the majority of modern browsers.
In short, this protocol is designed to ensure that there is a standardized method through which website owners can declare the approved origins of content that browsers will be loading through their site. These include scripts written in JavaScript, CSS and HTML, as well fonts and images and embedded objects such as applets and HTML 5 features.
How it Works
When a website is loaded on a computer, it actually goes through several things. First, when you type the URL into your address bar, this is then used by the computer to look up a specific IP. That is the IP address of a server. A server is a large computer just like any other, except that it has one key job, which is to ‘serve up’ content from the web. So, these computers have very large amounts of storage and will contain lots of files such as HTML scripts and images that help to make up a website.
The browser on the user’s computer will then ping said server and ask for it a specific address. If all is well and the server is on and connected, it will then send back all those files that are necessary to load your web page. The browser interprets those files and loads them onto the page.
If the content security policy header is included in this server response, then a compliant client will enforce the whitelist policy. For instance, the policy requires a stricter execution mode for JavaScript, to prevent cross-site scripting attacks. JavaScript is a basic, portable programming language and in layman’s terms, this disables a number of features of the script.
These include:
- Inline JavaScript code
- <script> blocks
- Inline CSS statements
- <style> blocks
- Dynamic JavaScript code evaluation
- Eval()
- Dynamic CSS statements
Of course, this seriously limits what a website can do. By removing certain functionality achieved through specific scripts and code, a website essentially nerfs many of its capabilities making things like interactive games, quizzes and forms more difficult to operate.
When using CSP, a new application will generally be very simple and straightforward in order to comply with the compatible JavaScript framework. Likewise, existing applications may require refactoring. Refactoring means that code is rewritten in order to alter the internal structure and layout but without altering the external behavior that the end user gets to see. In other words, the code is rewritten in order to perform the same tasks but without breaching these requirements.
So how might this work? Well for instance, it is recommended that CSP-compatible web applications should load their code from external source files, rather than having it embedded on the page. This is accomplished with <script src>. They should parse JSON data instead of evaluating it and they should use EventTarget.addEventListener() to set handlers for specific events.
If a web app should violate these requirements, then the browser will launch a POST request to the value specific in the report-uri. This will contain details of the violation. These reports use regular JSON structures and can then be captured by the application’s API or by public CSP report receivers.
Malicious Attacks and How CSP Prevents them
You may not be familiar with terms like clickjacking, in which case you might not yet recognize the need for circumventing the potential risks presented by software running on servers and browsers.
In that case then, consider some of the following threats that face internet users that have emerged thanks to the likes of JavaScript and PHP.
Clickjacking
Clickjacking is a malicious technique used to trick the user into clicking on things that they did not intend too. This could potentially result in confidential information being released, or it could lead to them downloading files that they didn’t intend to. Normally, when we click on a link, we first hover the mouse over and we can see where the link will take us or what it will do.
Unfortunately, there are a number of ways that this transparency can be circumvented. The most obvious way is by simply redirecting the user to another page. This can lead to a number of issues, however it’s not as serious as what is possible by using in-line JavaScript, which could cause the user to download malicious malware, or to activate their webcam. CSP prevents these more serious abuses, even if it can’t prevent simple redirects.
Code Injection
A code injection involves exploiting bugs in code that remove necessary safety protocols in order to prevent users or hackers from sending their code to be interpreted by the program. This can occur when applications send unencrypted data to interpreters – in SQL, LDAP, XPath etc. However, it can also occur in numerous other scenarios. For instance, programs that allow users to upload files could be vulnerable, as can programs that fail to distinguish between user inputs and system commands. Today, code injections are relatively uncommon, accounting for below 1% of hacks and vulnerability exploits. This is thanks in part to CSP among other initiatives.
Cross-Site Scripting
Cross-site scripting is a method used to attack web applications in order to inject code. This is used by attackers in order to bypass access control such as same-origin policies. This is actually a very serious issue and accounts for a large number of security vulnerabilities to this day.
Why Build Web Apps for Your Business
JavaScript is what is used to build a web app then, and it is only when adding this kind of web 2.0 functionality to a website that site owners need to consider these complex issues. Whenever you add dynamic or interactive elements, you are potentially opening up your site and your users to new threats. So why allow this at all?
The term ‘App’ is currently one of the big buzz words that everyone online is using. It was of course initially made popular by Apple on the iPhone, and was chosen as a term due to it cleverly being an abbreviation of both ‘application’ and ‘Apple’ itself. However, it has spread much beyond that and is now a term that is used to refer to any ‘light’ application that can be downloaded cheaply or for free from the ‘cloud’ or even launched from it directly. In fact, even full legacy software on Windows is now often described the with phrase app!
This is a concept that has caught on of course with other phones and we are now already seeing apps
- on Windows phones
- on Blackberry devices and of course
- Android.
At the same time though the term is also starting to gain wider acceptance on the web and also now describes websites that do more than simply display a page - such as ‘web apps’.
These web apps refer to applications that run within the browser. Sometimes these are designed to be integrated with a specific browser and use browser-specific HTML markups – such as the ‘Marvel Comics App’ which can work with Chrome or alternatively various other browsers; but in other cases, they will be designed to work on any browser. Generally, these will use a combination of JavaScript, HTML5, Flash and PHP in order to work – and with the exception of flash these languages are well supported across devices meaning that there are few cross-compatibility issues (almost all devices support Java, and PHP runs on the server itself meaning it is guaranteed to look identical regardless of the browser and specs of the device it is viewed on).
In fact, in the case of apps built with PHP, the programming language is actually run on the server. This is what we call a ‘server side script’ in fact, which means that the program will dynamically change what the server returns when the browser queries it. This can be used to create games and forms etc.
Other web apps are much closer to full software packages and can be written with object oriented programming languages such as Python. Twitter is one such example of a ‘full’ web app written in Python.
Often these apps will also need to store and retrieve data and files on the server, such as usernames and passwords, or images that have been uploaded to social networks like Facebook. These will tend to use database solutions such as MySQL in order to store huge amounts of data for hundreds of thousands of users. The easiest way to imagine these is as being multiple spreadsheets stored in the cloud, except where the only interface is that provided by the site owner’s code.
When these kinds of applications first started making their way onto the web, we began to see the term ‘web 2.0’ used. This described any website that would do more than simply load a page and that would allow for interactive components. Today however, so many sites use these kinds of features, that the distinction has become meaningless.
Chances are that your website has ‘web 2.0’, ‘web app’ elements. If you built your site using WordPress, then that in itself is a web app that relies on PHP, databases, CSS and more in order to display responsive websites and also to allow for user logins etc. Meanwhile, many of the widgets and plugins you use could also be considered to be apps or applets.
That said, we still will generally use the term ‘web app’ to describe a feature of a website that is truly interactive and that goes above and beyond the general ‘content consumption’ objective of a website. We normally consider a web app to be something that we have to log into, that stores data about us and that performs a specific useful function.
Why Use Web Apps for Your Business?
In short then there are few reasons not to jump on the web apps band-wagon and start using it to make some highly useful and interesting applications. The language has been there for a long time and the first web apps were around before the web was even a mainstream concept (though they weren’t called ‘apps’ at this point), and yet few companies have used it successfully in order to create truly unique offerings on the web. Most websites are simply static HTML and CSS and serve no purpose other than to display content. They will use the plugins and widgets offered through WordPress, but with little regard to how this is increasing the end-user experience, or how it can be successfully monetized. Web apps meanwhile allow you to make games, calculators, questionnaires and other even more imaginative applications.
Think about how you could improve bounce rates on your site by adding a fun interactive game, or how you could add useful features to your site that users would want to log in and use. How about a visualizer for clothing you sell in your store, so that your users can see what the items might look like together before they buy? How about a useful bodyweight calculator if you have a fitness site? Or how about creating your entire own social network?
This has the potentially to repeatedly bring visitors back to your site in a way that static content alone cannot. Not only that, but it immediately raises your reputation and impresses: people are still trained to think of software as being more difficult to pull-off than written content. Anyone living in their Mum’s basement can create a website and fill it with copy. But a company that can develop an impressive web app is one to be trusted.
Examples of Clever Web Apps
Looking once again at the example of the Marvel Comics web app, this is something that is truly innovative in its use of web-friendly coding to provide something new. Essentially this is a platform through which comics fans can read ‘digital’ comics on their monitors and flick through the pages or enjoy going panel to panel. This then means that people can enjoy reading comics on their laptops on the train, and it means that they don’t need to leave the house in order to get the latest issue – creating lots more marketing opportunities for the floundering comics industry.
What this also means is that the comics can be enjoyed in a new way – with more animations and transitions and a different sense of direction that comes from being able to dictate which panels the reader sees, how large they are and what order they read the speech and thought bubbles. A new range of comics designed specifically for this platform called ‘Infinite’ comics has begun to truly take advantage of this and these innovations are showing early signs of giving comics the shot in the arm that they truly need. Could your business enjoy a similar shot in the arm from a web app?
Software As a Service
Or better yet, could your website benefit from SAAS? Or ‘software as a service’? This can even mean building your entire business model around the concept of the web app.
SAAS describes a particular type of business model where you are providing a service in the form of – you guessed it – software. In other words, you are providing someone with a product or service that runs itself online and that you can don’t need to have any part in yourself other than for maintenance. Thanks to the cloud, and to the power of modern computers and browsers, it’s possible to offer a range of tailored services directly to someone’s PC that rely on strict code and don’t require human intervention.
Examples of SAAS Business Models
There are many examples of this already which provide online services from the cloud which can be used by a variety of businesses. For instance there is SohoOS which is a ‘micro business management’ tool, there is RecruiterBox which of course is useful for recruiting staff for a company, and there are things like Salesforce which is a ‘sales’ application.
All of these websites are interactive business-to-business solutions that allow users – in theory – to run a business more easily or to enjoy a new feature. They do things like organizing data, bringing people together and giving you productivity tools such as spreadsheets and other financial modelling software. And then there are those that provide a service for consumers rather than businesses. These include things like video and editing software, like Spotify (a music platform) and like Google Apps. No matter your industry or niche there is probably a service you could provide that people would be willing to use.
Why SAAS?
If you have a dynamic piece of software such as contact management software, then this is something that you can charge for as a business. The old business model of course was to simply package that up in some cellophane and a box, and to then sell it for a premium price (you can pay $100 and more for a piece of productivity software and normally more than $40 for a game). This of course would work but it is open to some basic flaws. For one it means that your product is only sold once and a surprisingly small amount of buyers tend to bother with frequent updates. At the same time though it also means that your software can be easily copied, stolen and shared, and it is a slow way to sell with large overheads.
Alternatively, by providing a web app or service online that anyone can use, you can allow your businesses to use your service without actually buying any physical item. They pay for registration and this not only makes them more likely to buy (as there is no large asking cost initially) but also makes them more likely to keep paying and to stay as a recurring customer into the future. They feel like they’re getting a better deal, and you get a much bigger profit from them at the same time. You also keep your captive audience, and are able to deal immediately with any problems or gripes.
There are also many more exciting ways that you can monetize a web app too. For instance, you can use this as a way to collect data and then sell it – as long as your users have agreed or the data is anonymous. This is where the real power of SQL comes in. Imagine being able to collect data about how people shop, what they were, or what they eat. And imagine if you could then sell that data to companies that could use it to make more sales. This could potentially result in large profits!
