A Measurement Study of the Content Security Policy on Real-World Applications

Content Security Policy (CSP) is a browser security mechanism that aims to protect websites from content injection attacks. To adopt CSP, website developers need to manually compile a list of allowed content sources. Nearly all websites require modifications to comply with CSP's de- fault behavior, which blocks inline scripts and the use of the "eval()" function. Alternatively, websites could adopt a policy that allows the use of this unsafe functionality, but this opens up potential attack vectors. In this paper, our measurements on a large corpus of web applications pro-vide a key insight on the amount of efforts web developers required to adapt to CSP. Our results also identified errors in CSP policies that are set by website developers on their websites. To address these issues and make adoption of CSP easier and error free, we implemented UserCSP a tool as a Firefox extension. The UserCSP uses dynamic analysis to automatically infer CSP policies, facilitates testing, and gives savvy users the authority to enforce client-side policies on websites.

[1]  Mingwu Zhang,et al.  Notes on Proxy Signcryption and Multi-proxy Signature Schemes , 2015, Int. J. Netw. Secur..

[2]  Qiaoyan Wen,et al.  Certificateless multi-proxy signature , 2011, Comput. Commun..

[3]  Min-Shiang Hwang,et al.  A nonrepudiable threshold multi-proxy multi-signature scheme with shared verification , 2004, Future Gener. Comput. Syst..

[4]  Dawn Xiaodong Song,et al.  Towards Client-side HTML Security Policies , 2011, HotSec.

[5]  Cheng-Chi Lee,et al.  On the Security of Self-Certified Public Keys , 2011, Int. J. Inf. Secur. Priv..

[6]  Benjamin Livshits,et al.  SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy web applications , 2011, CCS '11.

[7]  Wei-Pang Yang,et al.  An Improved Multi-stage Secret Sharing Scheme Based on the Factorization Problem , 2011, Inf. Technol. Control..

[8]  Min-Shiang Hwang,et al.  On the efficiency of nonrepudiable threshold proxy signature scheme with known signers , 2004, J. Syst. Softw..

[9]  Cheng-Chi Lee,et al.  Guessing Attacks on Strong-Password Authentication Protocol , 2013, Int. J. Netw. Secur..

[10]  Collin Jackson,et al.  Regular expressions considered harmful in client-side XSS filters , 2010, WWW '10.

[11]  Zhong Chen,et al.  On the security of an identity based multi-proxy signature scheme , 2011, Comput. Electr. Eng..

[12]  V. N. Venkatakrishnan,et al.  XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks , 2008, DIMVA.

[13]  Sid Stamm,et al.  Reining in the web with content security policy , 2010, WWW '10.

[14]  Min-Shiang Hwang,et al.  A new proxy signature scheme with revocation , 2005, Appl. Math. Comput..

[15]  Tzu-Chun Lin,et al.  GENERALIZATION OF PROXY SIGNATURE BASED ON FACTORIZATION , 2011 .

[16]  Cheng-Chi Lee,et al.  A password authentication scheme over insecure networks , 2006, J. Comput. Syst. Sci..

[17]  Cheng-Chi Lee,et al.  Password Authentication Schemes: Current Status and Key Issues , 2006, Int. J. Netw. Secur..

[18]  V. N. Venkatakrishnan,et al.  Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[19]  Min-Shiang Hwang,et al.  A new strong-password authentication scheme using one-way hash functions , 2006 .

[20]  Michael Hicks,et al.  Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.

[21]  Ashar Javed CSP AiDer : An Automated Recommendation of Content Security Policy for Web Applications , 2011 .

[22]  Min-Shiang Hwang,et al.  An improvement of nonrepudiable threshold proxy signature scheme with known signers , 2004, Comput. Secur..

[23]  Zhenfu Cao,et al.  A nonrepudiable multi-proxy multi-signature scheme , 2004 .

[24]  Yang Jingbo,et al.  A secure strong password authentication protocol , 2010, 2010 2nd International Conference on Software Technology and Engineering.

[25]  Wei-Pang Yang,et al.  A communication-efficient three-party password authenticated key exchange protocol , 2011, Inf. Sci..

[26]  Wei-Pang Yang,et al.  A new multi-stage secret sharing scheme using one-way function , 2005, OPSR.

[27]  Cheng-Chi Lee,et al.  A Batch Verification for Multiple Proxy Signature , 2011, Parallel Process. Lett..

[28]  Qingshui Xue,et al.  A nonrepudiable multi-proxy multi-signature scheme , 2004, SympoTIC '04. Joint 1st Workshop on Mobile Future & Symposium on Trends In Communications (IEEE Cat. No.04EX877).

[29]  Mingwu Zhang,et al.  Efficient Constructions of Anonymous Multireceiver Encryption Protocol and Their Deployment in Group E-mail Systems With Privacy Preservation , 2013, IEEE Systems Journal.