skip to main content
research-article

Semantics-Based Analysis of Content Security Policy Deployment

Authors Info & Claims
Published:27 January 2018Publication History
Skip Abstract Section

Abstract

Content Security Policy (CSP) is a recent W3C standard introduced to prevent and mitigate the impact of content injection vulnerabilities on websites. In this article, we introduce a formal semantics for the latest stable version of the standard, CSP Level 2. We then perform a systematic, large-scale analysis of the effectiveness of the current CSP deployment, using the formal semantics to substantiate our methodology and to assess the impact of the detected issues. We focus on four key aspects that affect the effectiveness of CSP: browser support, website adoption, correct configuration, and constant maintenance. Our analysis shows that browser support for CSP is largely satisfactory, with the exception of a few notable issues. However, there are several shortcomings relative to the other three aspects. CSP appears to have a rather limited deployment as yet and, more crucially, existing policies exhibit a number of weaknesses and misconfiguration errors. Moreover, content security policies are not regularly updated to ban insecure practices and remove unintended security violations. We argue that many of these problems can be fixed by better exploiting the monitoring facilities of CSP, while other issues deserve additional research, being more rooted into the CSP design.

References

  1. Devdatta Akhawe, Adam Barth, Peifung E. Lam, John C. Mitchell, and Dawn Song. 2010. Towards a formal foundation of web security. In CSF. 290--304. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Alexa. 2016. Alexa top sites. Retrieved November 26, 2017 from http://www.alexa.com/topsites.Google ScholarGoogle Scholar
  3. Adam Barth. 2011. The web origin concept. Retrieved November 26, 2017 from https://tools.ietf.org/html/rfc6454.Google ScholarGoogle ScholarCross RefCross Ref
  4. Stefano Calzavara, Alvise Rabitti, and Michele Bugliesi. 2016. Content security problems? Evaluating the effectiveness of content security policy in the wild. In CCS. 1365--1375. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Stefano Calzavara, Alvise Rabitti, and Michele Bugliesi. 2017. CCSP: Controlled relaxation of content security policies by runtime policy composition. In USENIX Security Symposium. 695--712.Google ScholarGoogle Scholar
  6. Stefano Calzavara, Gabriele Tolomei, Andrea Casini, Michele Bugliesi, and Salvatore Orlando. 2015. A supervised learning approach to protect client authentication on the web. ACM Transactions on the Web 9, 3, 15. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Ping Chen, Nick Nikiforakis, Christophe Huygens, and Lieven Desmet. 2013. A dangerous mix: Large-scale analysis of mixed-content websites. In ISC. 354--363. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Matthew Van Gundy and Hao Chen. 2012. Noncespaces: Using randomization to defeat cross-site scripting attacks. Computers 8 Security 31, 4, 612--628. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Daniel Hausknecht, Jonas Magazinius, and Andrei Sabelfeld. 2015. May I? - Content security policy endorsement for browser extensions. In DIMVA. 261--281. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Mario Heiderich, Marcus Niemietz, Felix Schuster, Thorsten Holz, and Jörg Schwenk. 2014. Scriptless attacks: Stealing more pie without touching the sill. Journal of Computer Security 22, 4, 567--599. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Charlie Hothersall-Thomas, Sergio Maffeis, and Chris Novakovic. 2015. BrowserAudit: Automated testing of browser security features. In ISSTA. 37--47. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Trevor Jim, Nikhil Swamy, and Michael Hicks. 2007. Defeating script injection attacks with browser-enforced embedded policies. In WWW. 601--610. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Martin Johns. 2014. Script-templates for the content security policy. Journal of Information Security and Applications 19, 3, 209--223. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Michael Kranch and Joseph Bonneau. 2015. Upgrading HTTPS in mid-air: An empirical study of strict transport security and key pinning. In NDSS.Google ScholarGoogle Scholar
  15. Sebastian Lekies, Ben Stock, and Martin Johns. 2013. 25 million flows later: Large-scale detection of DOM-based XSS. In CCS. 1193--1204. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Shukai Liu, Xuexiong Yan, Qingxian Wang, and Qi Xi. 2016. A systematic analysis of content security policy in web applications. Security and Communication Networks 9, 16 (2016), 3570--3584. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Mike Ter Louw and V. N. Venkatakrishnan. 2009. Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. In S8P. 331--346. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Yacin Nadji, Prateek Saxena, and Dawn Song. 2009. Document structure integrity: A robust basis for cross-site scripting defense. In NDSS.Google ScholarGoogle Scholar
  19. Nick Nikiforakis, Luca Invernizzi, Alexandros Kapravelos, Steven Van Acker, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2012. You are what you include: Large-scale evaluation of remote Javascript inclusions. In CCS. 736--747. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. OWASP. 2013. OWASP Top 10 Threats. Retrieved November 26, 2017 from https://www.owasp.org/index.php/Top_10_2013-Top_10.Google ScholarGoogle Scholar
  21. OWASP. 2017. XSS Prevention Cheat Sheet. Retrieved November 26, 2017 from https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet.Google ScholarGoogle Scholar
  22. Xiang Pan, Yinzhi Cao, Shuangping Liu, Yu Zhou, Yan Chen, and Tingzhe Zhou. 2016. CSPAutoGen: Black-box enforcement of content security policy upon real-world websites. In CCS. 653--665. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Kailas Patil and Frederik Braun. 2016. A measurement study of the content security policy on real-world applications. International Journal of Network Security 18, 2, 383--392.Google ScholarGoogle Scholar
  24. Dolière Francis Some, Nataliia Bielova, and Tamara Rezk. 2017. On the content security policy violations due to the same-origin policy. In WWW. 877--886. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Sid Stamm, Brandon Sterne, and Gervase Markham. 2010. Reining in the web with content security policy. In WWW. 921--930. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Steven Van Acker, Daniel Hausknecht, and Andrei Sabelfeld. 2016. Data exfiltration in the face of CSP. In ASIA CCS. 853--864. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Tom Van Goethem, Ping Chen, Nick Nikiforakis, Lieven Desmet, and Wouter Joosen. 2014. Large-scale security analysis of the web: Challenges and findings. In TRUST. 110--126. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. W3C. 2012. Content Security Policy 1.0. Retrieved November 26, 2017 from https://www.w3.org/TR/2012/CR-CSP-20121115/.Google ScholarGoogle Scholar
  29. W3C. 2015. Content Security Policy Level 2. Retrieved November 26, 2017 from https://www.w3.org/TR/CSP2/.Google ScholarGoogle Scholar
  30. W3C. 2015. Mixed content. Retrieved November 26, 2017 from https://www.w3.org/TR/mixed-content/.Google ScholarGoogle Scholar
  31. W3C. 2015. Upgrade Insecure Requests. Retrieved November 26, 2017 from https://www.w3.org/TR/upgrade-insecure-requests/.Google ScholarGoogle Scholar
  32. W3C. 2016. Content Security Policy Level 3. Retrieved November 26, 2017 from https://w3c.github.io/webappsec-csp/.Google ScholarGoogle Scholar
  33. Lukas Weichselbaum, Michele Spagnuolo, Sebastian Lekies, and Artur Janc. 2016. CSP is dead, long live CSP! On the insecurity of whitelists and the future of content security policy. In CCS. 1376--1387. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Joel Weinberger, Adam Barth, and Dawn Song. 2011. Towards client-side HTML security policies. In HotSec. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Michael Weissbacher, Tobias Lauinger, and William K. Robertson. 2014. Why is CSP failing? Trends and challenges in CSP adoption. In RAID. 212--233.Google ScholarGoogle Scholar
  36. Mike West. 2015. An introduction to Content Security Policy. Retrieved November 26, 2017 from http://www.html5rocks.com/en/tutorials/security/content-security-policy/.Google ScholarGoogle Scholar

Index Terms

  1. Semantics-Based Analysis of Content Security Policy Deployment

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image ACM Transactions on the Web
        ACM Transactions on the Web  Volume 12, Issue 2
        May 2018
        174 pages
        ISSN:1559-1131
        EISSN:1559-114X
        DOI:10.1145/3176641
        Issue’s Table of Contents

        Copyright © 2018 ACM

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 27 January 2018
        • Accepted: 1 October 2017
        • Revised: 1 August 2017
        • Received: 1 March 2017
        Published in tweb Volume 12, Issue 2

        Permissions

        Request permissions about this article.

        Request Permissions

        Check for updates

        Qualifiers

        • research-article
        • Research
        • Refereed

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!