Content Security Problems?: Evaluating the Effectiveness of Content Security Policy in the Wild

Content Security Policy (CSP) is an emerging W3C standard introduced to mitigate the impact of content injection vulnerabilities on websites. We perform a systematic, large-scale analysis of four key aspects that impact on the effectiveness of CSP: browser support, website adoption, correct configuration and constant maintenance. While browser support is largely satisfactory, with the exception of few notable issues, our analysis unveils several shortcomings relative to the other three aspects. CSP appears to have a rather limited deployment as yet and, more crucially, existing policies exhibit a number of weaknesses and misconfiguration errors. Moreover, content security policies are not regularly updated to ban insecure practices and remove unintended security violations. We argue that many of these problems can be fixed by better exploiting the monitoring facilities of CSP, while other issues deserve additional research, being more rooted into the CSP design.

[1]  Hao Chen,et al.  Noncespaces: Using randomization to defeat cross-site scripting attacks , 2012, Comput. Secur..

[2]  Tobias Lauinger,et al.  Why Is CSP Failing? Trends and Challenges in CSP Adoption , 2014, RAID.

[3]  Michael Hicks,et al.  Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.

[4]  Wouter Joosen,et al.  You are what you include: large-scale evaluation of remote javascript inclusions , 2012, CCS.

[5]  Kailas Patil,et al.  A Measurement Study of the Content Security Policy on Real-World Applications , 2016, Int. J. Netw. Secur..

[6]  Dawn Xiaodong Song,et al.  A Systematic Analysis of XSS Sanitization in Web Application Frameworks , 2011, ESORICS.

[7]  Michele Bugliesi,et al.  A Supervised Learning Approach to Protect Client Authentication on the Web , 2015, ACM Trans. Web.

[8]  Sergio Maffeis,et al.  BrowserAudit: automated testing of browser security features , 2015, ISSTA.

[9]  Wouter Joosen,et al.  Large-Scale Security Analysis of the Web: Challenges and Findings , 2014, TRUST.

[10]  Andrei Sabelfeld,et al.  Data Exfiltration in the Face of CSP , 2016, AsiaCCS.

[11]  Jonas Magazinius,et al.  May I? - Content Security Policy Endorsement for Browser Extensions , 2015, DIMVA.

[12]  Dan Boneh,et al.  Busting frame busting a study of clickjacking vulnerabilities on popular sites , 2010 .

[13]  Ben Stock,et al.  25 million flows later: large-scale detection of DOM-based XSS , 2013, CCS.

[14]  Martin Johns,et al.  Script-templates for the Content Security Policy , 2014, J. Inf. Secur. Appl..

[15]  Dawn Xiaodong Song,et al.  Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense , 2009, NDSS.

[16]  Ping Chen,et al.  A Dangerous Mix: Large-Scale Analysis of Mixed-Content Websites , 2013, ISC.

[17]  Sid Stamm,et al.  Reining in the web with content security policy , 2010, WWW '10.

[18]  V. N. Venkatakrishnan,et al.  Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[19]  Joseph Bonneau,et al.  Upgrading HTTPS in mid-air: An empirical study of strict transport security and key pinning , 2015, NDSS.

[20]  Dawn Xiaodong Song,et al.  Towards Client-side HTML Security Policies , 2011, HotSec.

[21]  Adam Barth,et al.  The Web Origin Concept , 2011, RFC.