Why Is CSP Failing? Trends and Challenges in CSP Adoption

Weissbacher, Michael; Lauinger, Tobias; Robertson, William

doi:10.1007/978-3-319-11379-1_11

Cited by 56 publications

(80 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There are many important differences between the present paper and this previous work [23,35]. First, the focus of the works is quite different, since we are only interested in assessing the trends and the effectiveness of the current CSP adoption, while [23,35] put great emphasis on semi-automated policy generation.…”

Section: Csp Deploymentmentioning

confidence: 95%

“…It is interesting to observe that an earlier study [35] conducted in March 2014 identified only 850 websites using CSP in the Alexa Top 1M, hence the CSP adoption has significantly expanded in the last two years, approximately of a ten factor. An inspection of our dataset shows that a number of popular hosting services have deployed CSP nowadays, including Blogger, Tumblr and Shopify among others.…”

Section: Current Adoption Of Cspmentioning

confidence: 99%

“…However, previous studies assessed that moving inline scripts to external resources is not a trivial task [34] and showed that the large majority of the websites deploying CSP just resorts to activating 'unsafe-inline' [35]. Nonces and hashes have been introduced in CSP Level 2 to give web developers the possibility of white-listing individual inline scripts and stylesheets.…”

Section: Unsafe Inline and Unsafe Evalmentioning

confidence: 99%

“…After assessing a limited adoption of the standard, the authors proposed a tool, UserCSP, to automatically synthesise content security policies for existing websites. This is not the only available study, because Weissbacher, Lauinger and Robertson [35] proposed a more recent and in-depth analysis of the CSP deployment on the Alexa Top 1M in March 2014. The authors then discussed challenges in the CSP adoption and techniques for semi-automated policy generation.…”

Section: Csp Deploymentmentioning

confidence: 99%

See 3 more Smart Citations

Semantics-Based Analysis of Content Security Policy Deployment

2018

View full text Add to dashboard Cite

Content Security Policy (CSP) is a recent W3C standard introduced to prevent and mitigate the impact of content injection vulnerabilities on websites. In this paper we introduce a formal semantics for the latest stable version of the standard, CSP Level 2. We then perform a systematic, large-scale analysis of the effectiveness of the current CSP deployment, using the formal semantics to substantiate our methodology and to assess the impact of the detected issues. We focus on four key aspects that affect the effectiveness of CSP: browser support, website adoption, correct configuration and constant maintenance. Our analysis shows that browser support for CSP is largely satisfactory, with the exception of few notable issues, but unfortunately there are several shortcomings relative to the other three aspects. CSP appears to have a rather limited deployment as yet and, more crucially, existing policies exhibit a number of weaknesses and misconfiguration errors. Moreover, content security policies are not regularly updated to ban insecure practices and remove unintended security violations. We argue that many of these problems can be fixed by better exploiting the monitoring facilities of CSP, while other issues deserve additional research, being more rooted into the CSP design.

show abstract

Section: Csp Deploymentmentioning

confidence: 95%

Section: Current Adoption Of Cspmentioning

confidence: 99%

Section: Unsafe Inline and Unsafe Evalmentioning

confidence: 99%

Section: Csp Deploymentmentioning

confidence: 99%

See 2 more Smart Citations

Semantics-Based Analysis of Content Security Policy Deployment

2018

View full text Add to dashboard Cite

show abstract

“…This makes the endorsement mechanism compatible with both CSP 1.0 and CSP 2.0. Weissbacher et al [39] measure a low deployment rate of CSP and conduct studies to analyze the practical challenges for deploying CSP policies. They point out that it is di cult to define a policy for a web page that utilizes the full potential of CSP.…”

Section: Resultsmentioning

confidence: 99%

May I? - Content Security Policy Endorsement for Browser Extensions

Hausknecht

Magazinius

Sabelfeld

2015

Detection of Intrusions and Malware, and Vulnerability Assessment

View full text Add to dashboard Cite

Abstract. Cross-site scripting (XSS) vulnerabilities are among the most prevailing problems on the web. Among the practically deployed countermeasures is a"defense-in-depth" Content Security Policy (CSP) to mitigate the e↵ects of XSS attacks. However, the adoption of CSP has been frustratingly slow. This paper focuses on a particular roadblock for wider adoption of CSP: its interplay with browser extensions. We report on a large-scale empirical study of all free extensions from Google's Chrome web store that uncovers three classes of vulnerabilities arising from the tension between the power of extensions and CSP intended by web pages: third party code inclusion, enabling XSS, and user profiling. We discover extensions with over a million users in each vulnerable category. With the goal to facilitate a wider adoption of CSP, we propose an extension-aware CSP endorsement mechanism between the server and client. A case study with the Rapportive extensions for Firefox and Chrome demonstrates the practicality of the approach.

show abstract

A systematic study of content security policy in web applications

Liu¹,

Yan²,

Wang³

et al. 2016

Security Comm. Networks

View full text Add to dashboard Cite

Content Security Policy (CSP) is a popular and effective security mechanism against content injection vulnerabilities such as cross‐site scripting for web applications. Unfortunately, there are many problems in analysis, design, and evaluation of CSP, which are hindering the wide adoption of CSP by real‐world web applications. In this paper, we give a systematic study and propose workable solutions for these problems. We systemically analyze the methodology of CSP, namely how it works and prevents attacks. We present the security weaknesses in the methodology, namely which attacks it cannot prevent. We give the formalized definitions and proofs of the properties for theoretically accurate design and evaluation of CSP in web applications. We give a practical policy tool named ACSP to help developers or analysts to automatically design CSP with the best security and availability or exactly evaluate the security and availability of the used CSP in one or a number of web pages. We perform a large scale evaluation of the CSP policies in real‐world applications. The most serious problem that we find out is that their policies only leverage a small part of security ability of CSP. Copyright © 2016 John Wiley & Sons, Ltd.

show abstract

Why Is CSP Failing? Trends and Challenges in CSP Adoption

Cited by 56 publications

References 9 publications

Semantics-Based Analysis of Content Security Policy Deployment

Semantics-Based Analysis of Content Security Policy Deployment

May I? - Content Security Policy Endorsement for Browser Extensions

A systematic study of content security policy in web applications

Contact Info

Product

Resources

About