Skip to main content
SpringerLink
Log in

May I? - Content Security Policy Endorsement for Browser Extensions

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9148))

Abstract

Cross-site scripting (XSS) vulnerabilities are among the most prevailing problems on the web. Among the practically deployed countermeasures is a“defense-in-depth” Content Security Policy (CSP) to mitigate the effects of XSS attacks. However, the adoption of CSP has been frustratingly slow. This paper focuses on a particular roadblock for wider adoption of CSP: its interplay with browser extensions.

We report on a large-scale empirical study of all free extensions from Google’s Chrome web store that uncovers three classes of vulnerabilities arising from the tension between the power of extensions and CSP intended by web pages: third party code inclusion, enabling XSS, and user profiling. We discover extensions with over a million users in each vulnerable category.

With the goal to facilitate a wider adoption of CSP, we propose an extension-aware CSP endorsement mechanism between the server and client. A case study with the Rapportive extensions for Firefox and Chrome demonstrates the practicality of the approach.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    http://www.cse.chalmers.se/~danhau/csp_endorsement/.

  2. 2.

    The actual name of the event depends on the browser implementation.

References

  1. Van Acker, S., Nikiforakis, N., Desmet, L., Piessens, F., Joosen, W.: Monkey-in-the-browser: malware and vulnerabilities in augmented browsing script markets. In: ASIA CCS 2014 (2014)

    Google Scholar 

  2. Bandhakavi, S., Tiku, N., Pittman, W., King, S.T., Madhusudan, P., Winslett, M.: Vetting browser extensions for security vulnerabilities with VEX. Commun. ACM 54(9), 91–99 (2011). doi:10.1145/1995376.1995398

    Article  Google Scholar 

  3. Barth, A., Porter Felt, A., Saxena, P., Boodman, A.: Protecting browsers from extension vulnerabilities. In: NDSS (2010)

    Google Scholar 

  4. Barua, A., Zulkernine, M., Weldemariam, K.: Protecting web browser extensions from javascript injection attacks. In: ICECCS (2013)

    Google Scholar 

  5. Bauer, L., Cai, S., Jia, L., Passaro, T., Tian, Y.: Analyzing the dangers posed by Chrome extensions. In: IEEE CNS (2014)

    Google Scholar 

  6. BuiltWith. Content security policy usage statistics. http://trends.builtwith.com/docinfo/Content-Security-Policy. (Accessed Februrary 2015)

  7. Chang, W., Chen, S.: Defeat information leakage from browser extensions via data obfuscation. In: Qing, S., Zhou, J., Liu, D. (eds.) ICICS 2013. LNCS, vol. 8233, pp. 33–48. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  8. Dhawan, M., Ganapathy, V.: Analyzing information flow in javascript-based browser extensions. In: ACSAC (2009)

    Google Scholar 

  9. Fazzini, M., Saxena, P., Orso, A.: AutoCSP: Automatically Retrofitting CSP to Web Applications (2015)

    Google Scholar 

  10. Google. Chrome web store. https://chrome.google.com/webstore/category/extensions. (Accessed February 2015)

  11. Google. Chromium. http://dev.chromium.org/Home. (Accessed February 2015)

  12. Google. Content security policy (csp) - google chrome. https://developer.chrome.com/extensions/contentSecurityPolicy. (Accessed February 2015)

  13. Google. Gmail. https://www.gmail.com/. (Accessed February 2015)

  14. Google. Reject the unexpected - content security policy in gmail. http://gmailblog.blogspot.se/2014/12/reject-unexpected-content-security.html. (Accessed Februrary 2015)

  15. Heule, S., Rifkin, D., Stefan, D., Russo, A.: The most dangerous code in the browser. In: HotOS (2015)

    Google Scholar 

  16. Javed, A.: CSP AiDer: An automated recommendation of content security policy for web applications. In: Poster at IEEE Symposium on Security & Privacy (2011)

    Google Scholar 

  17. Joyent. Node.js. http://www.nodejs.org/. (Accessed February 2015)

  18. Kapravelos, A., Grier, C., Chachra, N., Kruegel, C., Vigna, G., Paxson, V.: Hulk: Eliciting Malicious Behavior in Browser Extensions. In: USENIX Sec. (2014)

    Google Scholar 

  19. Karim, R., Dhawan, M., Ganapathy, V., Shan, C.: An analysis of the mozilla jetpack extension framework. In: Noble, J. (ed.) ECOOP 2012. LNCS, vol. 7313, pp. 333–355. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  20. LinkedIn. Rapportive. http://rapportive.com/. (Accessed February 2015)

  21. Maggi, F., Frossi, A., Zanero, S., Stringhini, G., Stone-Gross, B., Kruegel, C., Vigna, G.: Two years of short urls internet measurement: security threats and countermeasures. In: WWW (2013)

    Google Scholar 

  22. mitmproxy. https://mitmproxy.org/. (Accessed February 2015)

  23. Mozilla. Firefox nightly. https://nightly.mozilla.org/. (Accessed February 2015)

  24. Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, Vigna, G.: You are what you include: Large-scale evaluation of remote javascript inclusions. In: CCS (2012)

    Google Scholar 

  25. OWASP. Clickjacking. https://www.owasp.org/index.php/Clickjacking. (Accessed February 2015)

  26. OWASP. Content security policy. https://www.owasp.org/index.php/Content_Security_Policy. (Accessed February 2015)

  27. OWASP. Cross-site scripting (Accessed February 2015)

    Google Scholar 

  28. OWASP. Top 10 2013. https://www.owasp.org/index.php/Top_10_2013. (Accessed February 2015)

  29. Patil, K., Vyas, T., Braun, F., Goodwin, M., Liang, Z.: Poster: UserCSP - User Specified Content Security Policies. In: SOUPS (2013)

    Google Scholar 

  30. Rapportive : Reviews : Add-ons for firefox. https://addons.mozilla.org/en-US/firefox/addon/rapportive/reviews/. (Accessed February 2015)

  31. Syrian Electronic Army uses Taboola ad to hack Reuters (again). https://nakedsecurity.sophos.com/2014/06/23/syrian-electronic-army-uses-taboola-ad-to-hack-reuters-again/

  32. Shahriar, H., Weldemariam, K., Zulkernine, M., Lutellier, T.: Effective detection of vulnerable and malicious browser extensions. Comput. Secur. 47, 66–84 (2014). doi:10.1016/j.cose.2014.06.005

    Article  Google Scholar 

  33. Sterne, B.: Content security policy recommendation bookmarklet. http://brandon.sternefamily.net/2010/10/content-security-policy-recommendation-bookmarklet/. (Accessed February 2015)

  34. Taboola. Taboola | drive traffic and monetize your site. http://www.taboola.com/. (Accessed February 2015)

  35. Can I Use. Content security policy 1.0. (Accessed February 2015)

    Google Scholar 

  36. W3C. Csp 1.0. http://www.w3.org/TR/CSP/. (Accessed February 2015)

  37. W3C. Csp 2.0. http://www.w3.org/TR/CSP2/. (Accessed February 2015)

  38. W3C. World wide web consortium. http://www.w3.org/. (Accessed February 2015)

  39. Weissbacher, M., Lauinger, T., Robertson, W.: Why Is CSP failing? trends and challenges in CSP adoption. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 212–233. Springer, Heidelberg (2014)

    Google Scholar 

  40. WhiteHat. Content security policy - whitehat security blog. https://blog.whitehatsec.com/content-security-policy/. (Accessed February 2015)

Download references

Acknowledgments

Thanks are due to Federico Maggi, Adrienne Porter Felt, and the anonymous reviewers for the helpful comments and feedback. This work was funded by the European Community under the ProSecuToR and WebSand projects and the Swedish research agencies SSF and VR.

Author information

Authors and Affiliations

  1. Chalmers University of Technology, Gothenburg, Sweden

    Daniel Hausknecht, Jonas Magazinius & Andrei Sabelfeld

  2. CISPA, Saarland University, Saarbrucken, Germany

    Jonas Magazinius

  3. Assured Security AB, Gothenburg, Sweden

    Jonas Magazinius

Authors
  1. Daniel Hausknecht
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jonas Magazinius
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Andrei Sabelfeld
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Daniel Hausknecht .

Editor information

Editors and Affiliations

  1. Chalmers University of Technology, Gothenburg, Sweden

    Magnus Almgren

  2. Chalmers University of Technology, Gothenburg, Sweden

    Vincenzo Gulisano

  3. Politecnico di Milano, Milan, Italy

    Federico Maggi

A Gmail CSP policy (12. January 2015)

A Gmail CSP policy (12. January 2015)

figure c

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Hausknecht, D., Magazinius, J., Sabelfeld, A. (2015). May I? - Content Security Policy Endorsement for Browser Extensions. In: Almgren, M., Gulisano, V., Maggi, F. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2015. Lecture Notes in Computer Science(), vol 9148. Springer, Cham. https://doi.org/10.1007/978-3-319-20550-2_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-20550-2_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-20549-6

  • Online ISBN: 978-3-319-20550-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation