research-article

Content Security Problems?: Evaluating the Effectiveness of Content Security Policy in the Wild

Authors:

Stefano Calzavara,

Alvise Rabitti,

Michele BugliesiAuthors Info & Claims

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Pages 1365 - 1375

https://doi.org/10.1145/2976749.2978338

Published: 24 October 2016 Publication History

Abstract

Content Security Policy (CSP) is an emerging W3C standard introduced to mitigate the impact of content injection vulnerabilities on websites. We perform a systematic, large-scale analysis of four key aspects that impact on the effectiveness of CSP: browser support, website adoption, correct configuration and constant maintenance. While browser support is largely satisfactory, with the exception of few notable issues, our analysis unveils several shortcomings relative to the other three aspects. CSP appears to have a rather limited deployment as yet and, more crucially, existing policies exhibit a number of weaknesses and misconfiguration errors. Moreover, content security policies are not regularly updated to ban insecure practices and remove unintended security violations. We argue that many of these problems can be fixed by better exploiting the monitoring facilities of CSP, while other issues deserve additional research, being more rooted into the CSP design.

References

[1]

Alexa top sites. http://www.alexa.com/topsites.

[2]

Content Security Policy 1.0. https://www.w3.org/TR/2012/CR-CSP-20121115/.

[3]

Content Security Policy Level 2. https://www.w3.org/TR/CSP2/.

[4]

Content Security Policy Level 3. https://w3c.github.io/webappsec-csp/.

[5]

Mixed content. https://www.w3.org/TR/mixed-content/.

[6]

OWASP Top 10 Threats. https://www.owasp.org/index.php/Top_10_2013-Top_10.

[7]

Upgrade insecure requests. https://www.w3.org/TR/upgrade-insecure-requests/.

[8]

The web origin concept. https://tools.ietf.org/html/rfc6454.

[9]

Stefano Calzavara, Gabriele Tolomei, Andrea Casini, Michele Bugliesi, and Salvatore Orlando. A supervised learning approach to protect client authentication on the web. TWEB, 9(3):15, 2015.

Digital Library

[10]

Ping Chen, Nick Nikiforakis, Christophe Huygens, and Lieven Desmet. A dangerous mix: Large-scale analysis of mixed-content websites. In ISC, pages 354--363, 2013.

Digital Library

[11]

Matthew Van Gundy and Hao Chen. Noncespaces: Using randomization to defeat cross-site scripting attacks. Computers & Security, 31(4):612--628, 2012.

Digital Library

[12]

Daniel Hausknecht, Jonas Magazinius, and Andrei Sabelfeld. May I? - Content Security Policy endorsement for browser extensions. In DIMVA, pages 261--281, 2015.

Digital Library

[13]

Charlie Hothersall-Thomas, Sergio Maffeis, and Chris Novakovic. BrowserAudit: automated testing of browser security features. In ISSTA, pages 37--47, 2015.

Digital Library

[14]

Trevor Jim, Nikhil Swamy, and Michael Hicks. Defeating script injection attacks with browser-enforced embedded policies. In WWW, pages 601--610, 2007.

Digital Library

[15]

Martin Johns. Script-templates for the Content Security Policy. J. Inf. Sec. Appl., 19(3):209--223, 2014.

Digital Library

[16]

Michael Kranch and Joseph Bonneau. Upgrading HTTPS in mid-air: An empirical study of strict transport security and key pinning. In NDSS, 2015.

[17]

Sebastian Lekies, Ben Stock, and Martin Johns. 25 million flows later: large-scale detection of DOM-based XSS. In CCS, pages 1193--1204, 2013.

Digital Library

[18]

Mike Ter Louw and V. N. Venkatakrishnan. Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. In S&P, pages 331--346, 2009.

Digital Library

[19]

Yacin Nadji, Prateek Saxena, and Dawn Song. Document structure integrity: A robust basis for cross-site scripting defense. In NDSS, 2009.

[20]

Nick Nikiforakis, Luca Invernizzi, Alexandros Kapravelos, Steven Van Acker, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. You are what you include: large-scale evaluation of remote javascript inclusions. In CCS, pages 736--747, 2012.

Digital Library

[21]

Kailas Patil and Braun Frederik. A measurement study of the Content Security Policy on real-world applications. I. J. Network Security, 18(2):383--392, 2016.

[22]

Gustav Rydstedt, Elie Bursztein, Dan Boneh, and Collin Jackson. Busting frame busting: a study of clickjacking vulnerabilities at popular sites. In W2SP, 2010.

[23]

Sid Stamm, Brandon Sterne, and Gervase Markham. Reining in the web with Content Security Policy. In WWW, pages 921--930, 2010.

Digital Library

[24]

Steven Van Acker, Daniel Hausknecht, and Andrei Sabelfeld. Data exfiltration in the face of CSP. In ASIA CCS, 2016.

Digital Library

[25]

Tom Van Goethem, Ping Chen, Nick Nikiforakis, Lieven Desmet, and Wouter Joosen. Large-scale security analysis of the web: Challenges and findings. In TRUST, pages 110--126, 2014.

Digital Library

[26]

Joel Weinberger, Adam Barth, and Dawn Song. Towards client-side HTML security policies. In HotSec, 2011.

Digital Library

[27]

Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter, Eui Chul Richard Shin, and Dawn Song. A systematic analysis of XSS sanitization in web application frameworks. In ESORICS, pages 150--171, 2011.

Digital Library

[28]

Michael Weissbacher, Tobias Lauinger, and William K. Robertson. Why is CSP failing? Trends and challenges in CSP adoption. In RAID, pages 212--233, 2014.

[29]

Mike West. An introduction to Content Security Policy. http://www.html5rocks.com/en/tutorials/security/content-security-policy/.

Cited By

Klein DJohns M(2024)Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing Differentials2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00177(203-221)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00177
Rautenstrauch JMitkov MHelbrecht THetterich LStock B(2024)To Auth or Not To Auth? A Comparative Analysis of the Pre- and Post-Login Security Landscape2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00094(1500-1516)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00094
Trampert LStock BRoth S(2023)Honey, I Cached our Security Tokens Re-usage of Security Tokens in the WildProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607223(714-726)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607223
Show More Cited By

Index Terms

Content Security Problems?: Evaluating the Effectiveness of Content Security Policy in the Wild
1. Security and privacy
  1. Systems security
    1. Browser security

Recommendations

Semantics-Based Analysis of Content Security Policy Deployment

Content Security Policy (CSP) is a recent W3C standard introduced to prevent and mitigate the impact of content injection vulnerabilities on websites. In this article, we introduce a formal semantics for the latest stable version of the standard, CSP ...
CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Content Security Policy is a web platform mechanism designed to mitigate cross-site scripting (XSS), the top security vulnerability in modern web applications. In this paper, we take a closer look at the practical benefits of adopting CSP and identify ...
On the Content Security Policy Violations due to the Same-Origin Policy
WWW '17: Proceedings of the 26th International Conference on World Wide Web

Modern browsers implement different security policies such as the Content Security Policy (CSP), a mechanism designed to mitigate popular web vulnerabilities, and the Same Origin Policy (SOP), a mechanism that governs interactions between resources of ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

October 2016

1924 pages

ISBN:9781450341394

DOI:10.1145/2976749

General Chairs:
Edgar Weippl
SBA Research, Austria
,
Stefan Katzenbeisser
TU Darmstadt, CYSEC, Germany
,
Program Chairs:
Christopher Kruegel
University of California, Santa Barbara, USA
,
Andrew Myers
Cornell University, USA
,
Shai Halevi
IBM Research, USA

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'16

Sponsor:

SIGSAC

CCS'16: 2016 ACM SIGSAC Conference on Computer and Communications Security

October 24 - 28, 2016

Vienna, Austria

Acceptance Rates

CCS '16 Paper Acceptance Rate 137 of 831 submissions, 16%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

30
Total Citations
View Citations
890
Total Downloads

Downloads (Last 12 months)63
Downloads (Last 6 weeks)8

Reflects downloads up to 20 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Klein DJohns M(2024)Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing Differentials2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00177(203-221)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00177
Rautenstrauch JMitkov MHelbrecht THetterich LStock B(2024)To Auth or Not To Auth? A Comparative Analysis of the Pre- and Post-Login Security Landscape2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00094(1500-1516)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00094
Trampert LStock BRoth S(2023)Honey, I Cached our Security Tokens Re-usage of Security Tokens in the WildProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607223(714-726)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607223
Rack JStaicu CMeng WJensen CCremers CKirda E(2023)Jack-in-the-box: An Empirical Study of JavaScript Bundling on the Web and its Security ImplicationsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623140(3198-3212)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623140
Di Tizio GSpeicher PSimeonovski MBackes MStock BKünnemann R(2023)Pareto-optimal Defenses for the Web Infrastructure: Theory and PracticeACM Transactions on Privacy and Security10.1145/356759526:2(1-36)Online publication date: 13-Mar-2023
https://dl.acm.org/doi/10.1145/3567595
Ren MYue C(2023)Coverage and Secure Use Analysis of Content Security Policies via Clustering2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP57164.2023.00032(411-428)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSP57164.2023.00032
Alqadhi MAlkinoon ASalem SMohaisen D(2023)Understanding the Country-Level Security of Free Content Websites and their Hosting Infrastructure2023 IEEE 10th International Conference on Data Science and Advanced Analytics (DSAA)10.1109/DSAA60987.2023.10302611(1-10)Online publication date: 9-Oct-2023
https://doi.org/10.1109/DSAA60987.2023.10302611
Golinelli MBonomi FCrispo B(2023)The Nonce-nce of Web Security: An Investigation of CSP Nonces ReuseComputer Security. ESORICS 2023 International Workshops10.1007/978-3-031-54129-2_27(459-475)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1007/978-3-031-54129-2_27
Gorski PMoller SWiefling SIacono L(2022)“I just looked for the solution!”On Integrating Security-Relevant Information in Non-Security API Documentation to Support Secure Coding PracticesIEEE Transactions on Software Engineering10.1109/TSE.2021.309417148:9(3467-3484)Online publication date: 1-Sep-2022
https://doi.org/10.1109/TSE.2021.3094171
Klein DBarber TBensalim SStock BJohns M(2022)Hand Sanitizers in the Wild: A Large-scale Study of Custom JavaScript Sanitizer Functions2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP53844.2022.00023(236-250)Online publication date: Jun-2022
https://doi.org/10.1109/EuroSP53844.2022.00023
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents