Abstract
Content Security Policy (CSP) has been proposed as a principled and robust browser security mechanism against content injection attacks such as XSS. When configured correctly, CSP renders malicious code injection and data exfiltration exceedingly difficult for attackers. However, despite the promise of these security benefits and being implemented in almost all major browsers, CSP adoption is minuscule—our measurements show that CSP is deployed in enforcement mode on only 1% of the Alexa Top 100.
In this paper, we present the results of a long-term study to determine challenges in CSP deployments that can prevent wide adoption. We performed weekly crawls of the Alexa Top 1M to measure adoption of web security headers, and find that CSP both significantly lags other security headers, and that the policies in use are often ineffective at actually preventing content injection. In addition, we evaluate the feasibility of deploying CSP from the perspective of a security-conscious website operator. We used an incremental deployment approach through CSP’s report-only mode on four websites, collecting over 10M reports. Furthermore, we used semi-automated policy generation through web application crawling on a set of popular websites. We found both that automated methods do not suffice and that significant barriers exist to producing accurate results.
Finally, based on our observations, we suggest several improvements to CSP that could help to ease its adoption by the web community.
Keywords
- Content Security Policy
- Cross-Site Scripting
- Web Security
This is a preview of subscription content, access via your institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
DNS Prefetching - The Chromium Projects, http://www.chromium.org/developers/design-documents/dns-prefetching
The Platform for Privacy Preferences 1.0 (P3P1.0) Specification (2002), http://www.w3.org/TR/P3P/
IE8 Security Part IV: The XSS Filter (2008), http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx
IE8 Security Part V: Comprehensive Protection (2008), http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
RFC 6797 - HTTP Strict Transport Security, HSTS (2012), http://tools.ietf.org/html/rfc6797
Content Security Policy 1.1 (2013), https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html
Cross-Origin Resource Sharing, W3C Candidate Recommendation (January 29, 2013), http://www.w3.org/TR/cors/
Postcards from the post-XSS world (2013), http://lcamtuf.coredump.cx/postxss/
RFC 7034 - HTTP Header Field X-Frame-Options (2013), http://tools.ietf.org/html/rfc7034
Doupé, A., Cui, W., Jakubowski, M.H., Peinado, M., Kruegel, C., Vigna, G.: deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation. In: ACM Conference on Computer and Communications Security, CCS (2013)
Jim, T., Swamy, N., Hicks, M.: Defeating Script Injection Attacks with Browser-Enforced Embedded Policies. In: International Conference on World Wide Web, WWW (2007)
Meyerovich, L.A., Livshits, B.: ConScript: Specifying and enforcing fine-grained security policies for Javascript in the browser. In: IEEE Symposium on Security and Privacy, Oakland (2010)
Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You Are What You Include: Large-scale Evaluation of Remote JavaScript Inclusions. In: ACM Conference on Computer and Communications Security, CCS (2012)
Oda, T., Somayaji, A.: Enhancing Web Page Security with Security Style Sheets. Carleton University (2011)
Oda, T., Wurster, G., van Oorschot, P.C., Somayaji, A.: SOMA: Mutual Approval for Included Content in Web Pages. In: ACM Conference on Computer and Communications Security, CCS (2008)
Olejnik, L., Tran, M.D., Castelluccia, C.: Selling Off Privacy at Auction. In: ISOC Network and Distributed System Security Symposium (NDSS) (2014)
Samuel, M., Saxena, P., Song, D.: Context-Sensitive Auto-Sanitization in Web Templating Languages Using Type Qualifiers. In: ACM Conference on Computer and Communications Security, CCS (2011)
Son, S., Shmatikov, V.: The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites. In: ISOC Network and Distributed System Security Symposium, NDSS (2013)
Stamm, S., Sterne, B., Markham, G.: Reining in the Web with Content Security Policy. In: International Conference on World Wide Web, WWW (2010)
Ter Louw, M., Venkatakrishnan, V.: BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers. In: IEEE Symposium on Security and Privacy, Oakland (2009)
Weinberger, J., Barth, A., Song, D.: Towards Client-side HTML Security Policies. In: Workshop on Hot Topics on Security, HotSec (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Weissbacher, M., Lauinger, T., Robertson, W. (2014). Why Is CSP Failing? Trends and Challenges in CSP Adoption. In: Stavrou, A., Bos, H., Portokalidis, G. (eds) Research in Attacks, Intrusions and Defenses. RAID 2014. Lecture Notes in Computer Science, vol 8688. Springer, Cham. https://doi.org/10.1007/978-3-319-11379-1_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-11379-1_11
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-11378-4
Online ISBN: 978-3-319-11379-1
eBook Packages: Computer ScienceComputer Science (R0)