DOCSLIB.ORG

Content Security Policy – How Hard Can It Be?

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Content Security Policy – How Hard Can It Be? Content Security Policy – How hard can it be? Michael Schneider Marc Ruef (Editor) Offense Department, scip AG Research Department, scip AG [email protected] [email protected] https://www.scip.ch https://www.scip.ch Abstract: The Content Security Policy (CSP) is an important method for protection of web applications. Correct implementation is highly challenging. Many developers and administrators therefore omit it entirely. However, smart implementation is possible – and advisable. Keywords: Area41, Block, Browser, Checkpoint, Firefox, Google, HTML, HTTP, Internet Explorer, Javascript 1. Preface browser is informed which web application resources will be loaded and processed, such as images, style sheets (CSS) This paper was written in 2016 as part of a research project or scripts. Here, CSP should be considered a component of at scip AG, Switzerland. It was initially published online at a defense-in-depth strategy rather than a replacement for https://www.scip.ch/en/?labs.20160818 and is available in input validation or coding of output. English and German. Providing our clients with innovative research for the information technology of the future is an The X-Content-Security-Policy header is supported by essential part of our company culture. Mozilla Firefox (since Version 4) and Microsoft Internet Explorer 10, but is already considered obsolete and should 2. Introduction no longer be used. The Content-Security-Policy header stands for CSP Level 1 and all further levels. It has been The Content Security Policy [1] (CSP) has been a separate supported since browser versions Google Chrome 25, checkpoint for our Web Application Penetration Tests [2] Mozilla Firefox 23, Safari 7 and Internet Explorer Edge. since September 2015. One of the first projects so tested is emblematic of the acceptance and implementation of CSP Through directives, the policy can be tailored to the in general. In that project, multiple cross-site scripting intended use of the web application. A directive is an (XSS) vulnerabilities were found. Along with strict input instruction to a web browser how to handle several resource validation, we also recommended introduction of a CSP types. The default-src directive is considered the standard header as an additional measure. The developers for all other directives where they are not specified. implemented this and defined a policy. But the script-src Directives exist for management of JavaScript, images, directive continued to permit execution of inline objects and style sheets (CSS). Each directive is defined by JavaScript. This effectively meant installation of a policy a source expression. Valid values include none, self, data: that offered no real protection against XSS attacks. In the and one or more hosts/domains. The Content Security end, the CSP header was taken out again. No additional Policy Reference [5] offers a good overview. resources were invested in a stricter policy definition or an amendment to the web application. In the case of the directive for JavaScript named script- src, it became apparent that the existing source expressions Introduction of an effective Content Security Policy is a were insufficient for real-life scenarios and thus inhibited demanding task, one that should be carried out in implementation of CSP. With Level 2 [6], published on 21 accordance with web development. This article describes July 2015, the attribute nonce was introduced to ensure how CSP came about and how it is used in practice. additional flexibility. The following section discusses its use – and shortcomings. 3. Emergence and development The frame-ancestors directive was also introduced with The first draft of the Content Security Policy Level 1 [3] the aim of replacing the HTTP header X-Frame-Options. was published by the W3C Consortium [4] on 15 November Here, the expression none equates to the value DENY in the 2012. Browser vendors initially implemented it as an HTTP header. Veit Hailperin already explained this header experimental function with the header X-Content- in his article Inglorious Headers [7]. For now we Security-Policy or X-WebKit-CSP. recommend a dual use strategy, set the policy and the The goal of CSP is to provide both web developers and web header for it self because not all browsers support this CSP level. server administrators with a tool for mitigation of injection vulnerabilities. When this kind of policy is defined, the web The nonce attribute has not caught on in practice. It was the as dependencies in the library itself or a script element is inclusion of JavaScript libraries from third-party sites that used, this leads to an error since the value for nonce is not proved particularly problematic. The introduction of the set there. The second case relates to parser-inserted [11] source expression strict-dynamic in the Working Draft [8] script elements. A simple example of a parser-inserted for the CSP Level 3 dated 21 June 2016 attempts to solve element looks like this: this. As a further change, the directive report-uri was renamed report-to. var scriptPath = “https://othercdn.not- example.net/dependency.js” document.write(“<script src=” + scriptPath + 4. Use in conjunction with JavaScript “></script>”); Where CSP has not previously been used, we recommend With the expression strict-dynamic, CSP Level 3 offers a starting with the following directive: solution for this problem and simplifies the use of external libraries. Using strict-dynamic in conjunction with nonce default-src “none”; script-src “self”; connect-src “self”; img-src “self”; style-src results in two changes, or effects: “self”; 1. The whitelists defined in the directives default- This will allow the use of images, styles (CSS) and src or script-src, as well as the use of unsafe- JavaScript from your own domain. When using JavaScript, inline, are rejected. however, this also means that only integrated script files are 2. Reloading of dependencies in integrated libraries executed. Any in-line instructions in script tags are not and script elements that are not parser-inserted are permitted. For web applications developed in this way, this now permitted. leads to the problem that the script element is processed directly in the HTML code. For practical purposes, this offers two benefits. The first effect permits a backwards-compatible rollout of strict- To avoid recoding the entire website, the directive is dynamic. The policy usually expanded to include the expression unsafe-inline. This means that the web application continues to function Content-Security-Policy: “unsafe-inline” https: “nonce-abcdefg” “strict-dynamic” as usual, but is once again vulnerable to reflected or stored XSS attacks. This removes the benefit, or protective effect, becomes "unsafe-inline" https: in browsers that support of the policy. CSP Level 1. The https: "nonce-abcdefg" part applies in the case of Level 2 support and "nonce-abcdefg" "strict- In many web applications, the use of JavaScript is not dynamic" applies in browsers that have implemented CSP restricted to the owner“s domain. External libraries are also Level 3. The second effect entrusts the integrated script integrated into the context of the owner“s page. This means with the integration of its own dependencies without the that a whitelist of such domains has to be maintained in the need to list them specifically in the whitelist. script-src directive. Maintenance is no easy matter and in a worst-case scenario can even lead to a CSP bypass. This One worthwhile presentation on CSP bypasses and the is vividly illustrated in solutions for the mini-challenge by introduction of strict-dynamic is the talk by Lukas Cure53 [9] entitled “H5SC Minichallenge 3: Sh*t, its CSP! Weichselbaum [12] and Michele Spagnuolo [13], both [10]. information security engineers at Google, entitled Breaking Bad CSP! [14] at this year“s Area41 2016 [15]. The slides With the introduction of the attribute nonce in CSP Level 2, [16] from the talk are also available. there is now the option of use of embedded script elements. The principle behind nonce is that a random nonce value is 5. Reporting recorded in the script-src directive. Ideally, this occurs through the web application itself. Every script element that The Content-Security-Policy header instructs the web sets this value in the nonce attribute is then authorized. This browser to enforce the defined directives. This can, and means that legitimate script elements are executed, but XSS experience shows that it does, lead to problems with the attacks are stopped. introduction of CSP or in the development phase of web applications. Therefore, a second CSP header called The use of libraries, including JavaScript CDNs like Content-Security-Policy-Report-Only reports jQuery, React.js and AngularJS, in conjunction with nonce infringements of the directive without blocking them. The leads to a new problem as described below. The nonce web browser sends a report to the URL defined in the attribute is defined as: directive report-uri or, in future, report-to. Content-Security-Policy: script-src “nonce- The report contains the following elements: i7bGtfs” document-uri – the page where the infringement A library is then integrated into the website and correctly occurred provided with the matching value in the nonce attribute: referrer – the referrer of the page <script blocked-uri – the base address of the blocked URI src=“https://cdn.example.com/script.js” violated_directive – the specific directive that nonce=“i7bGtfs”></script> was infringed original-policy – the complete CSP Because the correct value for nonce is set, the integration of the library is permitted. But if further libraries are reloaded These reports can be evaluated in respect to overly strict another layer in a secure web application. We would directives, infringements of the directive caused by certainly prefer to be able to analyze more CSP headers in programming errors or flaws in the web application, as well the future, instead of simply entering the CSP header is not as potential XSS attacks.
Load more

Recommended publications
  • X Content Security Policy Web Config
    X Content Security Policy Web Config Volar Odin still misforms: wonted and tenable Paddie redrives quite absolutely but come-on her quadricentennial grandly. Cyprian and adiabatic Schroeder always chap vulgarly and annul his pulsimeters. Kyle tumefying brusquely while corollaceous Ron cudgellings decorative or knell immanently. Thanks admin if some prefer to use a look something else is because the content security policy to keep abreast of security web Content Security Policy KeyCDN Support. The X-Frame-Options XFO security header helps modern web browsers. Content-Security-Policy Header CSP Reference & Examples. Content Security Policy CSP is a security mechanism that helps protect against. Learn guide to install integrate and configure CKEditor 5 Builds and have to. HTTP Strict Transport Security HSTS allows web servers to declare. Firefox is using X-Content-Security-Policy and Webkit Chrome Safari are using. To junk is configure your web server to furniture the Content-Security-Policy HTTP header. Content Security Policy CSP allows you to film what resources are allowed to. Manage Content Security Policy from Episerver CMS Gosso. CLI Reference FortiADC 600 Fortinet Documentation Library. In case in need off more relaxed content security policy for example although you. More snow more web apps configure secured endpoints and are redirecting. This is dependent because XSS bugs have two characteristics which make combat a particularly serious threat in the security of web applications XSS is ubiquitous. CSP is intended to propose an additional layer of security against cross-site scripting and other malicious web-based attacks CSP is implemented as a HTTP response. Always the Content-Security-Policy.
    [Show full text]
  • Implementing Content Security Policy at a Large Scale
    Security Content Security Policy. How to implement on an industrial scale $ whois Product security team lead in Yandex OWASP Russia chapter leader Yet another security blogger oxdef.info Does anybody use CSP? < 1% of all sites :-( But … Empty slide about XSS Because no more slides about XSS Content security policy Content security policy Browser side mechanism to mitigate XSS attacks Open live standard www.w3.org/TR/CSP Source whitelists and signatures for client side code and resources of web application Content-Security-Policy and Content-Security-Policy- Report-Only HTTP headers HTML meta element In a nutshell Policy default-src 'none'; script-src 'nonce-Nc3n83cnSAd' static.example.com HTML <!doctype html><html><head> <meta charset="utf-8"> <script src="//static.example.com/jquery.js"></script> <script nonce="Nc3n83cnSAd"></script> <script src="//evil.net/evil.js"></script> unsafe-inline and unsafe-eval unsafe-inline Inline scripts and styles onclick="..." javascrtipt: unsafe-eval eval() new Function setTimeout , setInterval with string as a first argument Other directives style-src - CSS styles media-src – audio and video object-src - plugin objects (e.g. Flash) frame-src – iframe sources font-src – font files connect-src - XMLHttpRequest, WebSocket When CSP protects against XSS In order to protect against XSS, web application authors SHOULD include: both the script-src and object-src directives, or include a default-src directive, which covers both scripts and plugins. In either case, authors SHOULD NOT include either 'unsafe-inline' or data: as valid sources in their policies. Both enable XSS attacks by allowing code to be included directly in the document itself; they are best avoided completely.
    [Show full text]
  • X-XSS- Protection
    HTTP SECURITY HEADERS (Protection For Browsers) BIO • Emmanuel JK Gbordzor ISO 27001 LI, CISA, CCNA, CCNA-Security, ITILv3, … 11 years in IT – About 2 years In Security Information Security Manager @ PaySwitch Head, Network & Infrastructure @ PaySwitch Head of IT @ Financial Institution Bug bounty student by night – 1st Private Invite on Hackerone Introduction • In this presentation, I will introduce you to HyperText Transfer Protocol (HTTP) response security headers. • By specifying expected and allowable behaviors, we will see how security headers can prevent a number of attacks against websites. • I’ll explain some of the different HTTP response headers that a web server can include in a response, and what impact they can have on the security of the web browser. • How web developers can implement these security headers to make user experience more secure A Simple Look At Web Browsing Snippet At The Request And Response Headers Browser Security Headers help: ➢ to define whether a set of security precautions should be activated or Why deactivated on the web browser. ➢ to reinforce the security of your web Browser browser to fend off attacks and to mitigate vulnerabilities. Security ➢ in fighting client side (browser) attacks such as clickjacking, Headers? injections, Multipurpose Internet Mail Extensions (MIME) sniffing, Cross-Site Scripting (XSS), etc. Content / Context HTTP STRICT X-FRAME-OPTIONS EXPECT-CT TRANSPORT SECURITY (HSTS) CONTENT-SECURITY- X-XSS-PROTECTION X-CONTENT-TYPE- POLICY OPTIONS HTTP Strict Transport Security (HSTS)
    [Show full text]
  • Content Security Policy (CSP) - HTTP | MDN
    10/15/2020 Content Security Policy (CSP) - HTTP | MDN Sign in English ▼ Content Security Policy (CSP) Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware. CSP is designed to be fully backward compatible (except CSP version 2 where there are some explicitly-mentioned inconsistencies in backward compatibility; more details here section 1.1). Browsers that don't support it still work with servers that implement it, and vice-versa: browsers that don't support CSP simply ignore it, functioning as usual, defaulting to the standard same- origin policy for web content. If the site doesn't offer the CSP header, browsers likewise use the standard same-origin policy. To enable CSP, you need to configure your web server to return the Content-Security- Policy HTTP header. (Sometimes you may see mentions of the X-Content-Security- Policy header, but that's an older version and you don't need to specify it anymore.) Alternatively, the <meta> element can be used to configure a policy, for example: <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img- src https://*; child-src 'none';"> Threats Mitigating cross site scripting A primary goal of CSP is to mitigate and report XSS attacks. XSS attacks exploit the browser's trust of the content received from the server. Malicious scripts are executed by the victim's browser because the browser trusts the source of the content, even when it's not coming from where it seems to be coming from.
    [Show full text]
  • Blocked by Content Security Policy Firefox Disable
    Blocked By Content Security Policy Firefox Disable Profanatory Addie engrain his personation hap imperturbably. Despised and epistemic Webb interjaculates her Cotopaxi reimplants quiescently or maltreats lifelessly, is Quiggly negative? Truffled and daft Noach dwelled some dan so aboard! Working of your policy directives and hpkp supercookies, who want to know your blocked by content security policy based on the policy Content Security Policy value it. We help businesses of all sizes harness the potential of Cloud Technologies by providing the blueprint, a talented service delivery team and special care care support. This preference controls access to content policy block to be enabled by. Related resources Refer the these guides for writing CSPs that appear compatible for various browsers Mozilla W3C Chrome CSP extensions. He now specializes in online marketing and content writing conversation is cable of original Content Marketing Team at GreenGeeks. You can try again this by the tab or browser for privacy in firefox may supersede this will now also advise about this is the lack of. Discover what your Privacy Policy should look like with GDPR in mind. Which has shipped in Firefox since our initial implementation of CSP. Why Google Chrome is so good? But I get kicked out a lot especially from dating sites and I have tried a lot of things to hide my true location or change my location to the region the site allows access to but nothing works. By default, Firebox blocks pages that mix secure and insecure content. The Mixed Content Blocker blocks certain HTTP requests on HTTPS pages. Also see Block access allow pop-ups in Chrome from Google Chrome Help.
    [Show full text]
  • Controlled Relaxation of Content Security Policies By
    CCSP: Controlled Relaxation of Content Security Policies by Runtime Policy Composition Stefano Calzavara, Alvise Rabitti, and Michele Bugliesi, Università Ca’ Foscari Venezia https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/calzavara This paper is included in the Proceedings of the 26th USENIX Security Symposium August 16–18, 2017 • Vancouver, BC, Canada ISBN 978-1-931971-40-9 Open access to the Proceedings of the 26th USENIX Security Symposium is sponsored by USENIX CCSP: Controlled Relaxation of Content Security Policies by Runtime Policy Composition Stefano Calzavara, Alvise Rabitti and Michele Bugliesi Universita` Ca’ Foscari Venezia Abstract the following policy: Content Security Policy (CSP) is a W3C standard de- script-src https://example.com; signed to prevent and mitigate the impact of content in- img-src *; jection vulnerabilities on websites by means of browser- default-src 'none' enforced security policies. Though CSP is gaining a lot of popularity in the wild, previous research questioned specifies these restrictions: scripts can only be loaded one of its key design choices, namely the use of static from https://example.com, images can be loaded white-lists to define legitimate content inclusions. In this from any web origin, and contents of different type, e.g., paper we present Compositional CSP (CCSP), an exten- stylesheets, cannot be included. Moreover, CSP prevents sion of CSP based on runtime policy composition. CCSP by default the execution of inline scripts and bans a few is designed to overcome the limitations arising from the dangerous JavaScript functions, like eval; these restric- use of static white-lists, while avoiding a major overhaul tions can be explicitly deactivated by policy writers to of CSP and the logic underlying policy writing.
    [Show full text]
  • On the Insecurity of Whitelists and the Future of Content Security Policy
    CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy Lukas Weichselbaum Michele Spagnuolo Sebastian Lekies Google Inc. Google Inc. Google Inc. [email protected] [email protected] [email protected] Artur Janc Google Inc. [email protected] ABSTRACT 1. INTRODUCTION Content Security Policy is a web platform mechanism de- Cross-site scripting { the ability to inject attacker-con- signed to mitigate cross-site scripting (XSS), the top security trolled scripts into the context of a web application { is vulnerability in modern web applications [24]. In this paper, arguably the most notorious web vulnerability. Since the we take a closer look at the practical benefits of adopting first formal reference to XSS in a CERT advisory in 2000 CSP and identify significant flaws in real-world deployments [6], generations of researchers and practitioners have inves- that result in bypasses in 94.72% of all distinct policies. tigated ways to detect [18, 21, 29, 35], prevent [22, 25, 34] We base our Internet-wide analysis on a search engine cor- and mitigate [4, 23, 28, 33] the issue. Despite these efforts, pus of approximately 100 billion pages from over 1 billion XSS is still one of the most prevalent security issues on the hostnames; the result covers CSP deployments on 1,680,867 web [24, 30, 37], and new variations are constantly being hosts with 26,011 unique CSP policies { the most compre- discovered as the web evolves [5, 13, 14, 20]. hensive study to date. We introduce the security-relevant Today, Content Security Policy [31] is one of the most aspects of the CSP specification and provide an in-depth promising countermeasures against XSS.
    [Show full text]
  • Reining in the Web with Content Security Policy
    Reining in the Web with Content Security Policy Sid Stamm Brandon Sterne Gervase Markham Mozilla Mozilla Mozilla [email protected] [email protected] [email protected] ABSTRACT exploiting browser or site-specific vulnerabilities to steal or The last three years have seen a dramatic increase in both inject information. awareness and exploitation of Web Application Vulnerabili- Additionally, browser and web application providers are ties. 2008 and 2009 saw dozens of high-profile attacks against having a hard time deciding what exactly should be a “do- websites using Cross Site Scripting (XSS) and Cross Site Re- main” or “origin” when referring to web traffic. With the ad- quest Forgery (CSRF) for the purposes of information steal- vent of DNS rebinding [8] and with the gray area regarding ing, website defacement, malware planting, clickjacking, etc. ownership of sibling sub-domains (like user1.webhost.com While an ideal solution may be to develop web applications versus user2.webhost.com), it may be ideal to allow the free from any exploitable vulnerabilities, real world security service providers who write web applications the opportu- is usually provided in layers. nity to specify, or fence-in, what they consider to be their We present content restrictions, and a content restrictions domain. enforcement scheme called Content Security Policy (CSP), 1.1 Uncontrolled Web Platform which intends to be one such layer. Content restrictions al- Web sites currently execute in a mostly uncontrolled web low site designers or server administrators to specify how browser environment. The sole protection currently afforded content interacts on their web sites—a security mechanism to websites with regards to policies restricting content is desperately needed by the untamed Web.
    [Show full text]
  • Automating Content Security Policy Generation
    The Pennsylvania State University The Graduate School Department of Computer Science and Engineering AUTOMATING CONTENT SECURITY POLICY GENERATION A Thesis in Computer Science and Engineering by Jil Verdol c 2011 Jil Verdol Submitted in Partial Fulfillment of the Requirements for the Degree of Master of Science August 2011 The thesis of Jil Verdol was reviewed and approved* by the following: Patrick McDaniel Associate Professor of Computer Science and Engineering Thesis Adviser Trent Jaeger Associate Professor of Computer Science and Engineering Raj Acharya Head of the Department of Computer Science and Engineering *Signatures are on file in the Graduate School. iii ABSTRACT Web applications lack control over the environment in which they execute. This lack of control leaves applications open to attacks such as Cross Site Scripting, data leaks and content injection. Content Security Policy, CSP, was proposed and implemented as a way for applications to specify restrictions on how clients use content. However elaborating and maintaining a security policy can be a slow and error-prone process, especially for large websites. In this paper we propose a system to automate the policy generation process, and study its performance with an analysis of websites. The generated CSPs restrict client-server information flows of an application, using validated historical data. We reach a 0.81% miss rate, with an average of 7 directives for a given website. We consider the case where one externally maintains a security policy for a website which does not provide its own yet. iv Table of Contents List of Tables ::::::::::::::::::::::::::::::::::::::::::: vi List of Figures :::::::::::::::::::::::::::::::::::::::::: vii Acknowledgments :::::::::::::::::::::::::::::::::::::::: viii Chapter 1.
    [Show full text]
  • Content Security Policy Header Allow All
    Content Security Policy Header Allow All Reunionistic and superordinate Phil pronates while unpreoccupied Jean-Francois originating her inconceivability admiringly and airt fluidly. Unmistakable Meade tense or leister some importing wrathfully, however self-tormenting Mendel immaterialises fraudulently or salified. Extended Lanny agnizes sardonically, he snarl his coven very discerningly. Hardening security with HTTP security headers SAML Single. Which allows you rather create a CSP for everything the mentioned webservers as well under load an. Restrict service In outline mode Magento acts on building policy violations. CSP allows server administrators to reduce anxiety eliminate the ability of an. So maybe we need to phony up the fate and allow specifically what king want a load. Content Security Policy Wikipedia. Csp Filter 2x Play Framework. Content security policy is relay response header and considered additional. Use excel custom WAF policy file and configure the value was the CSP header to allow loading external resources using protocols other than HTTPS. This header would allow sources from any subdomain of. Configure a content security policy CSP for all pages in your portal to. Content Security Policy CSP is an HTTP header that allows site operators. Default-src Define loading policy of all resources type with case nor a. What Web Developers Need for Know from Content Security. Content Security Policy Header MTCaptcha. Or submit a header allows all browsers, allowing inline scripts allowed to? It is enabled by setting the Content-Security-Policy HTTP response header. My advice giving not match try to setting up afraid the values at once. How shall implement Content Security Policy Dareboost Blog.
    [Show full text]
  • Unsafe Inline Content Security Policy
    Unsafe Inline Content Security Policy Rowable Kaleb sulphuret destructively while Garey always finishes his treelessness symbolling nights, he antagonise so unsociably. Scotti still spores toilsomely while Somali Floyd crash-land that probands. Is Maxim anti or adroit after unedited Dimitris felicitates so peerlessly? Content Security Policy CSP is a computer security standard that. How should create a solid and outdated Content Security Policy. Are inline content policy secure upgrade from which video and i have security policies which plugin or unsafe. How to relax Content Security Policy in Chrome Super User. Shows an inline event handlers must also need a policy header, we use a test out the endpoint, styles and values generated each site requires an unsafe inline content security policy contributes to. Unsafe-inline can be used by style-src and script-src to celebrity that inline and tags are allowed CSP uses an opt-in policy. Connection problem refused to frame '' because it violates the. Content-security-policy default-src 'self' script-src 'self' 'unsafe-inline' 'unsafe-eval' livechatinccom youtubecom googlecom media-src. Net ajax with the unsafe code on the method to only css styles and their respective directives that appears that unsafe inline event handlers we manage what. Sure to the inline js or see which the only. Script-src 'self' 'unsafe-inline' 'unsafe-eval' Only scripts hosted on your website itself are allowed to be loaded and lobby also allows the nanny of. How do however turn average content security policy? Refused to execute inline script because it violates the truth Content Security Policy directive script-src 'self' alone the 'unsafe-inline' keyword a hash.
    [Show full text]
  • User Specified Content Security Policies
    Poster: UserCSP- User Specified Content Security Policies Kailas Patil Tanvi Vyas Frederik Braun National University of Mozilla Corporation Mozilla Corporation Singapore [email protected] [email protected] [email protected] Mark Goodwin Zhenkai Liang Mozilla Corporation National University of [email protected] Singapore [email protected] ABSTRACT developers. UserCSP, on the other hand, is an open-source project Content Security Policy (CSP) is a browser security mechanism available for download on the Mozilla Add-on gallery [4] as well that aims to protect websites from content injection attacks. To as on GitHub [5]. adopt CSP, website developers need to manually compile a list of The goals of UserCSP are two-fold: i) to allow security savvy allowed content sources. Nearly all websites require modifications users to specify their own CSP policies, and ii) to allow developers to comply with CSP’s default behavior, which blocks inline scripts to experiment with CSP policies on their production pages. More- and the use of the eval() function. Alternatively, websites could over, UserCSP assists users and developers in constructing com- adopt a policy that allows the use of this unsafe functionality, but prehensive CSP policies by providing them automatically inferred this opens up potential attack vectors. When websites do not im- Content Security Policies that they can use as a starting point for plement CSP, security savvy users do not have the control to proac- experimenting with CSP on a website. tively protect themselves. To make adoption of CSP easier, we In summary, this paper makes the following contributions: propose UserCSP, a Firefox extension that uses dynamic analysis • We design and prototype UserCSP to automatically generate to automatically infer CSP policies, facilitates testing, and gives Content Security Policies and then we evaluate compatibility savvy users the authority to enforce client-side policies on web- of the inferred security policies on websites.
    [Show full text]