CISPA
Browse

Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies.

Download (298.64 kB)
conference contribution
posted on 2023-11-29, 18:12 authored by Sebastian Roth, Timothy Barron, Stefano Calzavara, Nick Nikiforakis, Ben StockBen Stock
The Content Security Policy (CSP) mechanism was developed as a mitigation against script injection attacks in 2010. In this paper, we leverage the unique vantage point of the Internet Archive to conduct a historical and longitudinal analysis of how CSP deployment has evolved for a set of 10,000 highly ranked domains. In doing so, we document the long-term struggle site operators face when trying to roll out CSP for content restriction and highlight that even seemingly secure whitelists can be bypassed through expired or typo domains. Next to these new insights, we also shed light on the usage of CSP for other use cases, in particular, TLS enforcement and framing control. Here, we find that CSP can be easily deployed to fit those security scenarios, but both lack wide-spread adoption. Specifically, while the underspecified and thus inconsistently implemented X-Frame-Options header is increasingly used on the Web, CSP’s well-specified and secure alternative cannot keep up. To understand the reasons behind this, we run a notification campaign and subsequent survey, concluding that operators have often experienced the complexity of CSP (and given up), utterly unaware of the easy-to-deploy components of CSP. Hence, we find the complexity of secure, yet functional content restriction gives CSP a bad reputation, resulting in operators not leveraging its potential to secure a site against the non-original attack vectors.

History

Preferred Citation

Sebastian Roth, Timothy Barron, Stefano Calzavara, Nick Nikiforakis and Ben Stock. Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies.. In: Network and Distributed System Security Symposium (NDSS). 2020.

Primary Research Area

  • Empirical and Behavioral Security

Secondary Research Area

  • Threat Detection and Defenses

Name of Conference

Network and Distributed System Security Symposium (NDSS)

Legacy Posted Date

2019-11-17

Open Access Type

  • Unknown

BibTeX

@inproceedings{cispa_all_2986, title = "Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies.", author = "Roth, Sebastian and Barron, Timothy and Calzavara, Stefano and Nikiforakis, Nick and Stock, Ben", booktitle="{Network and Distributed System Security Symposium (NDSS)}", year="2020", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC