Microsoft explains Content Security Policy for Hosted Web Apps

Reading time icon 2 min. read

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more

One of the new forms of apps for Windows 10 being promoted by Microsoft are Hosted Web Apps. While web apps have existed before on the Windows Store, in Microsoft’s newest OS, they finally go from simple wrappers to a powerful alternative to native apps, with the ability to access APIs reserved for Universal Windows Apps (UWA). Unfortunately, this also implies potential security risks, something Microsoft seems to be trying to prevent with a new educational blog post for developers on how to make Hosted Web Apps secure.

What sets Windows 10 Hosted Web Apps apart from their predecessors is the modern, up-to-date Microsoft Edge web platform and rendering engine. This means common techniques for web content security will work for Hosted Web Apps; the focus, however, is on a new feature: Content Security Policy.

Courtesy of Windows blog.

Content Security Policy (CSP) is a new security layer invented by the W3C Web Application Security Working Group. It helps reduce risks of cross-site scripting and data injection – two common forms of webpage attacks – by allowing developers to specify where the resource for a particular webpage should come from. The post details how CSP works and some “best practices” for using CSP, including setting up Content URI rules and scope, and applying CSP to all pages that will have access to UWA APIs.

Content Security Policy in action. Courtesy of Windows Blog.
Content Security Policy in action. Courtesy of Windows Blog.

As the dearth of apps on Windows 10 Store continues, Hosted Web Apps is just one of the ways Microsoft is courting developers by minimizing their workload developing for Windows. That does not mean quantity should trump quality or security however, and it’s reassuring to see Microsoft address this issue before it becomes problematic; the rest, now, is up to developers.