Why Is CSP Failing? Trends and Challenges in CSP Adoption

  • Michael Weissbacher
  • Tobias Lauinger
  • William Robertson
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8688)

Abstract

Content Security Policy (CSP) has been proposed as a principled and robust browser security mechanism against content injection attacks such as XSS. When configured correctly, CSP renders malicious code injection and data exfiltration exceedingly difficult for attackers. However, despite the promise of these security benefits and being implemented in almost all major browsers, CSP adoption is minuscule—our measurements show that CSP is deployed in enforcement mode on only 1% of the Alexa Top 100.

In this paper, we present the results of a long-term study to determine challenges in CSP deployments that can prevent wide adoption. We performed weekly crawls of the Alexa Top 1M to measure adoption of web security headers, and find that CSP both significantly lags other security headers, and that the policies in use are often ineffective at actually preventing content injection. In addition, we evaluate the feasibility of deploying CSP from the perspective of a security-conscious website operator. We used an incremental deployment approach through CSP’s report-only mode on four websites, collecting over 10M reports. Furthermore, we used semi-automated policy generation through web application crawling on a set of popular websites. We found both that automated methods do not suffice and that significant barriers exist to producing accurate results.

Finally, based on our observations, we suggest several improvements to CSP that could help to ease its adoption by the web community.

Keywords

Content Security Policy Cross-Site Scripting Web Security 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
  2. 2.
    The Platform for Privacy Preferences 1.0 (P3P1.0) Specification (2002), http://www.w3.org/TR/P3P/
  3. 3.
  4. 4.
  5. 5.
    RFC 6797 - HTTP Strict Transport Security, HSTS (2012), http://tools.ietf.org/html/rfc6797
  6. 6.
  7. 7.
    Cross-Origin Resource Sharing, W3C Candidate Recommendation (January 29, 2013), http://www.w3.org/TR/cors/
  8. 8.
    Postcards from the post-XSS world (2013), http://lcamtuf.coredump.cx/postxss/
  9. 9.
    RFC 7034 - HTTP Header Field X-Frame-Options (2013), http://tools.ietf.org/html/rfc7034
  10. 10.
    Doupé, A., Cui, W., Jakubowski, M.H., Peinado, M., Kruegel, C., Vigna, G.: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation. In: ACM Conference on Computer and Communications Security, CCS (2013)Google Scholar
  11. 11.
    Jim, T., Swamy, N., Hicks, M.: Defeating Script Injection Attacks with Browser-Enforced Embedded Policies. In: International Conference on World Wide Web, WWW (2007)Google Scholar
  12. 12.
    Meyerovich, L.A., Livshits, B.: ConScript: Specifying and enforcing fine-grained security policies for Javascript in the browser. In: IEEE Symposium on Security and Privacy, Oakland (2010)Google Scholar
  13. 13.
    Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You Are What You Include: Large-scale Evaluation of Remote JavaScript Inclusions. In: ACM Conference on Computer and Communications Security, CCS (2012)Google Scholar
  14. 14.
    Oda, T., Somayaji, A.: Enhancing Web Page Security with Security Style Sheets. Carleton University (2011)Google Scholar
  15. 15.
    Oda, T., Wurster, G., van Oorschot, P.C., Somayaji, A.: SOMA: Mutual Approval for Included Content in Web Pages. In: ACM Conference on Computer and Communications Security, CCS (2008)Google Scholar
  16. 16.
    Olejnik, L., Tran, M.D., Castelluccia, C.: Selling Off Privacy at Auction. In: ISOC Network and Distributed System Security Symposium (NDSS) (2014)Google Scholar
  17. 17.
    Samuel, M., Saxena, P., Song, D.: Context-Sensitive Auto-Sanitization in Web Templating Languages Using Type Qualifiers. In: ACM Conference on Computer and Communications Security, CCS (2011)Google Scholar
  18. 18.
    Son, S., Shmatikov, V.: The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites. In: ISOC Network and Distributed System Security Symposium, NDSS (2013)Google Scholar
  19. 19.
    Stamm, S., Sterne, B., Markham, G.: Reining in the Web with Content Security Policy. In: International Conference on World Wide Web, WWW (2010)Google Scholar
  20. 20.
    Ter Louw, M., Venkatakrishnan, V.: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers. In: IEEE Symposium on Security and Privacy, Oakland (2009)Google Scholar
  21. 21.
    Weinberger, J., Barth, A., Song, D.: Towards Client-side HTML Security Policies. In: Workshop on Hot Topics on Security, HotSec (2011)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Michael Weissbacher
    • 1
  • Tobias Lauinger
    • 1
  • William Robertson
    • 1
  1. 1.Northeastern UniversityBostonUSA

Personalised recommendations