A systematic study of content security policy in web applications

Liu, Shukai; Yan, Xiao-Bo; Wang, Qingxian; Xi, Qi

doi:10.1002/sec.1562

Cited by 3 publications

(1 citation statement)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In concurrent independent work, Liu et al [16] formalized a core of the CSP 1.0 semantics. The authors used the semantics to reason on policy permissiveness and to design algorithms for removing redundant information from content security policies.…”

Section: Csp Semanticsmentioning

confidence: 99%

Semantics-Based Analysis of Content Security Policy Deployment

2018

View full text Add to dashboard Cite

Content Security Policy (CSP) is a recent W3C standard introduced to prevent and mitigate the impact of content injection vulnerabilities on websites. In this paper we introduce a formal semantics for the latest stable version of the standard, CSP Level 2. We then perform a systematic, large-scale analysis of the effectiveness of the current CSP deployment, using the formal semantics to substantiate our methodology and to assess the impact of the detected issues. We focus on four key aspects that affect the effectiveness of CSP: browser support, website adoption, correct configuration and constant maintenance. Our analysis shows that browser support for CSP is largely satisfactory, with the exception of few notable issues, but unfortunately there are several shortcomings relative to the other three aspects. CSP appears to have a rather limited deployment as yet and, more crucially, existing policies exhibit a number of weaknesses and misconfiguration errors. Moreover, content security policies are not regularly updated to ban insecure practices and remove unintended security violations. We argue that many of these problems can be fixed by better exploiting the monitoring facilities of CSP, while other issues deserve additional research, being more rooted into the CSP design.

show abstract

Section: Csp Semanticsmentioning

confidence: 99%