Google Releases Content Security Policy Tool To Prevent From cross-site scripting (XSS), Clickjacking and other Malicious script.
Cross-site scripting XSS is one of the top most popular Vulnerability attack. Google already paid Bug Bounties approx $1.2 Million over XSS attack vulnerability in last 2 years .
Google released CSP Evaluator tool to detect web design code misconfiguration. To visualize the effect of setting a policy and detect subtle misconfigurations. CSP Evaluator is used by security engineers and developers at Google to make sure policies provide a meaningful security benefit and cannot be subverted by attackers.
Developers can now set a single, short policy such as:
script-src 'nonce-random123' 'strict-dynamic'; object-src 'none'
Also Google released CSP Mitigator. A Chrome extension designed to help developers review an application for compatibility with nonce-based CSP. The extension can be enabled for any URL prefix and will collect data about any programming patterns that need to be refactored to support CSP.
What is Content Security Policy (CSP)?
CSP is a mechanism designed to step in precisely when such bugs happen; it provides developers the ability to restrict which scripts are allowed to execute so that even if attackers can inject HTML into a vulnerable page, they should not be able to load malicious scripts and other types of resources. CSP is a flexible tool allowing developers to set a wide range of policies; it is supported though not always in its entirety by all modern browsers.