May I? - Content Security Policy Endorsement for Browser Extensions

Hausknecht, Daniel; Magazinius, Jonas; Sabelfeld, Andrei

doi:10.1007/978-3-319-20550-2_14

Cited by 21 publications

(14 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Another paper by Hausknecht et al investigates the tension between browser extensions and CSP [11]. The authors conducted a large-scale study of browser extensions from the Chrome web store and found that many extensions tamper with the CSP of a page.…”

Section: Related Workmentioning

confidence: 97%

CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy

Weichselbaum

Spagnuolo

Lekies

et al. 2016

Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

100

View full text Add to dashboard Cite

Content Security Policy is a web platform mechanism designed to mitigate cross-site scripting (XSS), the top security vulnerability in modern web applications [24]. In this paper, we take a closer look at the practical benefits of adopting CSP and identify significant flaws in real-world deployments that result in bypasses in 94.72% of all distinct policies.We base our Internet-wide analysis on a search engine corpus of approximately 100 billion pages from over 1 billion hostnames; the result covers CSP deployments on 1,680,867 hosts with 26,011 unique CSP policies -the most comprehensive study to date. We introduce the security-relevant aspects of the CSP specification and provide an in-depth analysis of its threat model, focusing on XSS protections. We identify three common classes of CSP bypasses and explain how they subvert the security of a policy.We then turn to a quantitative analysis of policies deployed on the Internet in order to understand their security benefits. We observe that 14 out of the 15 domains most commonly whitelisted for loading scripts contain unsafe endpoints; as a consequence, 75.81% of distinct policies use script whitelists that allow attackers to bypass CSP. In total, we find that 94.68% of policies that attempt to limit script execution are ineffective, and that 99.34% of hosts with CSP use policies that offer no benefit against XSS.Finally, we propose the 'strict-dynamic' keyword, an addition to the specification that facilitates the creation of policies based on cryptographic nonces, without relying on domain whitelists. We discuss our experience deploying such a nonce-based policy in a complex application and provide guidance to web authors for improving their policies.

show abstract

Section: Related Workmentioning

confidence: 97%

CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy

Weichselbaum

Spagnuolo

Lekies

et al. 2016

Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

100

View full text Add to dashboard Cite

show abstract

“…Hausknecht, Magazinius and Sabelfeld [9] focused on the tension between content security policies and browser extensions. Since browser extensions can modify the DOM, they may end up making web pages request external resources which are not white-listed by the underlying content security policy.…”

Section: Other Work On Cspmentioning

confidence: 99%

Semantics-Based Analysis of Content Security Policy Deployment

2018

View full text Add to dashboard Cite

Content Security Policy (CSP) is a recent W3C standard introduced to prevent and mitigate the impact of content injection vulnerabilities on websites. In this paper we introduce a formal semantics for the latest stable version of the standard, CSP Level 2. We then perform a systematic, large-scale analysis of the effectiveness of the current CSP deployment, using the formal semantics to substantiate our methodology and to assess the impact of the detected issues. We focus on four key aspects that affect the effectiveness of CSP: browser support, website adoption, correct configuration and constant maintenance. Our analysis shows that browser support for CSP is largely satisfactory, with the exception of few notable issues, but unfortunately there are several shortcomings relative to the other three aspects. CSP appears to have a rather limited deployment as yet and, more crucially, existing policies exhibit a number of weaknesses and misconfiguration errors. Moreover, content security policies are not regularly updated to ban insecure practices and remove unintended security violations. We argue that many of these problems can be fixed by better exploiting the monitoring facilities of CSP, while other issues deserve additional research, being more rooted into the CSP design.

show abstract

“…Patil and Frederik found similar errors in their study [14]. Hausknecht et al [7] found that some browser extensions, modified the CSP policy headers, in order to whitelist more resources and origins. Van Acker et al [4] have shown that CSP fails at preventing data exfiltration specially when resources are prefetched, or in pres-ence of a CSP policy in the HTML meta tag, because the order in which resources are loaded in a web application is hard to predict.…”

Section: Related Workmentioning

confidence: 73%

“…Iframe sandboxing: Combining attribute allow-scripts and allow-same-origin as values for sandbox successfully 7 . We recommend the use of sandbox as a CSP directive, instead of an HTML iframe attribute.…”

Section: Avoiding Csp Violationsmentioning

confidence: 99%

On the Content Security Policy Violations due to the Same-Origin Policy

Somé

Bielova

Rezk

2017

Proceedings of the 26th International Conference on World Wide Web

View full text Add to dashboard Cite

Modern browsers implement different security policies such as the Content Security Policy (CSP), a mechanism designed to mitigate popular web vulnerabilities, and the Same Origin Policy (SOP), a mechanism that governs interactions between resources of web pages. In this work, we describe how CSP may be violated due to the SOP when a page contains an embedded iframe from the same origin. We analyse 1 million pages from 10,000 top Alexa sites and report that at least 31.1% of current CSP-enabled pages are potentially vulnerable to CSP violations. Further considering real-world situations where those pages are involved in same-origin nested browsing contexts, we found that in at least 23.5% of the cases, CSP violations are possible. During our study, we also identified a divergence among browsers implementations in the enforcement of CSP in srcdoc sandboxed iframes, which actually reveals a problem in Gecko-based browsers CSP implementation. To ameliorate the problematic conflicts of the security mechanisms, we discuss measures to avoid CSP violations.Comment: 8 pages + references for the short version, extended to 19 pages for detailed appendice

show abstract

May I? - Content Security Policy Endorsement for Browser Extensions

Cited by 21 publications

References 12 publications

CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy

CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy

Semantics-Based Analysis of Content Security Policy Deployment

On the Content Security Policy Violations due to the Same-Origin Policy

Contact Info

Product

Resources

About