Why Is CSP Failing? Trends and Challenges in CSP Adoption

Content Security Policy (CSP) has been proposed as a principled and robust browser security mechanism against content injection attacks such as XSS. When configured correctly, CSP renders malicious code injection and data exfiltration exceedingly difficult for attackers. However, despite the promise of these security benefits and being implemented in almost all major browsers, CSP adoption is minuscule—our measurements show that CSP is deployed in enforcement mode on only 1% of the Alexa Top 100.

[1]  Paul C. van Oorschot,et al.  SOMA: mutual approval for included content in web pages , 2008, CCS.

[2]  Vitaly Shmatikov,et al.  The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites , 2013, NDSS.

[3]  V. N. Venkatakrishnan,et al.  Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[4]  Jeff Hodges,et al.  HTTP Strict Transport Security (HSTS) , 2012, RFC.

[5]  Claude Castelluccia,et al.  Selling Off Privacy at Auction , 2014, NDSS 2014.

[6]  Christopher Krügel,et al.  deDacota: toward preventing server-side XSS via automatic code and data separation , 2013, CCS.

[7]  Lorrie Faith Cranor,et al.  The platform for privacy preferences , 1999, CACM.

[8]  Dawn Xiaodong Song,et al.  Towards Client-side HTML Security Policies , 2011, HotSec.

[9]  Sid Stamm,et al.  Reining in the web with content security policy , 2010, WWW '10.

[10]  Dawn Xiaodong Song,et al.  Context-sensitive auto-sanitization in web templating languages using type qualifiers , 2011, CCS '11.

[11]  Benjamin Livshits,et al.  ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser , 2010, 2010 IEEE Symposium on Security and Privacy.

[12]  Michael Hicks,et al.  Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.

[13]  David Ross,et al.  HTTP Header Field X-Frame-Options , 2013, RFC.

[14]  Wouter Joosen,et al.  You are what you include: large-scale evaluation of remote javascript inclusions , 2012, CCS.

[15]  Anil Somayaji,et al.  Enhancing Web Page Security with Security Style Sheets SCS Technical Report TR-1104 Version : February 10 , 2011 Terri Oda , 2011 .

[16]  Marc Langheinrich,et al.  The platform for privacy preferences 1.0 (p3p1.0) specification , 2002 .