Abstract
Content Security Policy (CSP) is a recent W3C standard introduced to prevent and mitigate the impact of content injection vulnerabilities on websites. In this article, we introduce a formal semantics for the latest stable version of the standard, CSP Level 2. We then perform a systematic, large-scale analysis of the effectiveness of the current CSP deployment, using the formal semantics to substantiate our methodology and to assess the impact of the detected issues. We focus on four key aspects that affect the effectiveness of CSP: browser support, website adoption, correct configuration, and constant maintenance. Our analysis shows that browser support for CSP is largely satisfactory, with the exception of a few notable issues. However, there are several shortcomings relative to the other three aspects. CSP appears to have a rather limited deployment as yet and, more crucially, existing policies exhibit a number of weaknesses and misconfiguration errors. Moreover, content security policies are not regularly updated to ban insecure practices and remove unintended security violations. We argue that many of these problems can be fixed by better exploiting the monitoring facilities of CSP, while other issues deserve additional research, being more rooted into the CSP design.
- Devdatta Akhawe, Adam Barth, Peifung E. Lam, John C. Mitchell, and Dawn Song. 2010. Towards a formal foundation of web security. In CSF. 290--304. Google Scholar
Digital Library
- Alexa. 2016. Alexa top sites. Retrieved November 26, 2017 from http://www.alexa.com/topsites.Google Scholar
- Adam Barth. 2011. The web origin concept. Retrieved November 26, 2017 from https://tools.ietf.org/html/rfc6454.Google Scholar
Cross Ref
- Stefano Calzavara, Alvise Rabitti, and Michele Bugliesi. 2016. Content security problems? Evaluating the effectiveness of content security policy in the wild. In CCS. 1365--1375. Google Scholar
Digital Library
- Stefano Calzavara, Alvise Rabitti, and Michele Bugliesi. 2017. CCSP: Controlled relaxation of content security policies by runtime policy composition. In USENIX Security Symposium. 695--712.Google Scholar
- Stefano Calzavara, Gabriele Tolomei, Andrea Casini, Michele Bugliesi, and Salvatore Orlando. 2015. A supervised learning approach to protect client authentication on the web. ACM Transactions on the Web 9, 3, 15. Google Scholar
Digital Library
- Ping Chen, Nick Nikiforakis, Christophe Huygens, and Lieven Desmet. 2013. A dangerous mix: Large-scale analysis of mixed-content websites. In ISC. 354--363. Google Scholar
Digital Library
- Matthew Van Gundy and Hao Chen. 2012. Noncespaces: Using randomization to defeat cross-site scripting attacks. Computers 8 Security 31, 4, 612--628. Google Scholar
Digital Library
- Daniel Hausknecht, Jonas Magazinius, and Andrei Sabelfeld. 2015. May I? - Content security policy endorsement for browser extensions. In DIMVA. 261--281. Google Scholar
Digital Library
- Mario Heiderich, Marcus Niemietz, Felix Schuster, Thorsten Holz, and Jörg Schwenk. 2014. Scriptless attacks: Stealing more pie without touching the sill. Journal of Computer Security 22, 4, 567--599. Google Scholar
Digital Library
- Charlie Hothersall-Thomas, Sergio Maffeis, and Chris Novakovic. 2015. BrowserAudit: Automated testing of browser security features. In ISSTA. 37--47. Google Scholar
Digital Library
- Trevor Jim, Nikhil Swamy, and Michael Hicks. 2007. Defeating script injection attacks with browser-enforced embedded policies. In WWW. 601--610. Google Scholar
Digital Library
- Martin Johns. 2014. Script-templates for the content security policy. Journal of Information Security and Applications 19, 3, 209--223. Google Scholar
Digital Library
- Michael Kranch and Joseph Bonneau. 2015. Upgrading HTTPS in mid-air: An empirical study of strict transport security and key pinning. In NDSS.Google Scholar
- Sebastian Lekies, Ben Stock, and Martin Johns. 2013. 25 million flows later: Large-scale detection of DOM-based XSS. In CCS. 1193--1204. Google Scholar
Digital Library
- Shukai Liu, Xuexiong Yan, Qingxian Wang, and Qi Xi. 2016. A systematic analysis of content security policy in web applications. Security and Communication Networks 9, 16 (2016), 3570--3584. Google Scholar
Digital Library
- Mike Ter Louw and V. N. Venkatakrishnan. 2009. Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. In S8P. 331--346. Google Scholar
Digital Library
- Yacin Nadji, Prateek Saxena, and Dawn Song. 2009. Document structure integrity: A robust basis for cross-site scripting defense. In NDSS.Google Scholar
- Nick Nikiforakis, Luca Invernizzi, Alexandros Kapravelos, Steven Van Acker, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2012. You are what you include: Large-scale evaluation of remote Javascript inclusions. In CCS. 736--747. Google Scholar
Digital Library
- OWASP. 2013. OWASP Top 10 Threats. Retrieved November 26, 2017 from https://www.owasp.org/index.php/Top_10_2013-Top_10.Google Scholar
- OWASP. 2017. XSS Prevention Cheat Sheet. Retrieved November 26, 2017 from https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet.Google Scholar
- Xiang Pan, Yinzhi Cao, Shuangping Liu, Yu Zhou, Yan Chen, and Tingzhe Zhou. 2016. CSPAutoGen: Black-box enforcement of content security policy upon real-world websites. In CCS. 653--665. Google Scholar
Digital Library
- Kailas Patil and Frederik Braun. 2016. A measurement study of the content security policy on real-world applications. International Journal of Network Security 18, 2, 383--392.Google Scholar
- Dolière Francis Some, Nataliia Bielova, and Tamara Rezk. 2017. On the content security policy violations due to the same-origin policy. In WWW. 877--886. Google Scholar
Digital Library
- Sid Stamm, Brandon Sterne, and Gervase Markham. 2010. Reining in the web with content security policy. In WWW. 921--930. Google Scholar
Digital Library
- Steven Van Acker, Daniel Hausknecht, and Andrei Sabelfeld. 2016. Data exfiltration in the face of CSP. In ASIA CCS. 853--864. Google Scholar
Digital Library
- Tom Van Goethem, Ping Chen, Nick Nikiforakis, Lieven Desmet, and Wouter Joosen. 2014. Large-scale security analysis of the web: Challenges and findings. In TRUST. 110--126. Google Scholar
Digital Library
- W3C. 2012. Content Security Policy 1.0. Retrieved November 26, 2017 from https://www.w3.org/TR/2012/CR-CSP-20121115/.Google Scholar
- W3C. 2015. Content Security Policy Level 2. Retrieved November 26, 2017 from https://www.w3.org/TR/CSP2/.Google Scholar
- W3C. 2015. Mixed content. Retrieved November 26, 2017 from https://www.w3.org/TR/mixed-content/.Google Scholar
- W3C. 2015. Upgrade Insecure Requests. Retrieved November 26, 2017 from https://www.w3.org/TR/upgrade-insecure-requests/.Google Scholar
- W3C. 2016. Content Security Policy Level 3. Retrieved November 26, 2017 from https://w3c.github.io/webappsec-csp/.Google Scholar
- Lukas Weichselbaum, Michele Spagnuolo, Sebastian Lekies, and Artur Janc. 2016. CSP is dead, long live CSP! On the insecurity of whitelists and the future of content security policy. In CCS. 1376--1387. Google Scholar
Digital Library
- Joel Weinberger, Adam Barth, and Dawn Song. 2011. Towards client-side HTML security policies. In HotSec. Google Scholar
Digital Library
- Michael Weissbacher, Tobias Lauinger, and William K. Robertson. 2014. Why is CSP failing? Trends and challenges in CSP adoption. In RAID. 212--233.Google Scholar
- Mike West. 2015. An introduction to Content Security Policy. Retrieved November 26, 2017 from http://www.html5rocks.com/en/tutorials/security/content-security-policy/.Google Scholar
Index Terms
Semantics-Based Analysis of Content Security Policy Deployment
Recommendations
CSPAutoGen: Black-box Enforcement of Content Security Policy upon Real-world Websites
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityContent security policy (CSP) which has been standardized by W3C and adopted by all major commercial browsers-is one of the most promising approaches for defending against cross-site scripting (XSS) attacks. Although client-side adoption of CSP is ...
Content Security Problems?: Evaluating the Effectiveness of Content Security Policy in the Wild
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityContent Security Policy (CSP) is an emerging W3C standard introduced to mitigate the impact of content injection vulnerabilities on websites. We perform a systematic, large-scale analysis of four key aspects that impact on the effectiveness of CSP: ...
CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityContent Security Policy is a web platform mechanism designed to mitigate cross-site scripting (XSS), the top security vulnerability in modern web applications. In this paper, we take a closer look at the practical benefits of adopting CSP and identify ...






Comments