posted on 2023-11-29, 18:15authored byMarius Steffens, Marius Musch, Martin Johns, Ben StockBen Stock
The Web has grown into the most widely used application platform for our daily lives. First-party Web applications thrive due to many different third parties they rely on to provide auxiliary functionality, like maps or ads, to their sites. In this paper, we set out to understand to what extent this outsourcing has adverse effects on two key security mechanisms, namely Content Security Policy (CSP; to mitigate XSS) and Subresource Integrity (SRI; to mitigate third-party compromises) by conducting a longitudinal study over 12 weeks on 10,000 top sites. Under the assumption that a first party wants to deploy CSP and SRI and is able to make their code base compliant with these mechanisms, we assess how many sites could fully deploy the mechanisms without cooperation from their third parties. For those unable to do so without cooperation, we also measure how many third parties would jointly have to make their code compliant to enable first-party usage of CSP and SRI.
To more accurately depict trust relations, we rely on holistic views into inclusion chains within all pages of the investigated sites. In addition, based on a combination of heuristics and manual validation, we identify different eTLD+1s belonging to the same business entity, allowing us to more accurately discerning parties from each other. Doing so, we show that the vast majority of sites includes third-party code which necessitates the use of unsafe-inline (75%) or unsafe-eval (61%), or makes deployment of strict-dynamic impossible (76%) without breakage of functionality. For SRI, based on the analysis of a single snapshot (within less than 12 hours), we also show that more than half of all sites cannot fully rely on SRI to protect them from third-party compromise due to randomized third-party content.
History
Preferred Citation
Marius Steffens, Marius Musch, Martin Johns and Ben Stock. Who's Hosting the Block Party? Studying Third-Party Blockage of CSP and SRI. In: Network and Distributed System Security Symposium (NDSS). 2021.
Primary Research Area
Empirical and Behavioral Security
Name of Conference
Network and Distributed System Security Symposium (NDSS)
Legacy Posted Date
2020-12-22
Open Access Type
Unknown
BibTeX
@inproceedings{cispa_all_3337,
title = "Who's Hosting the Block Party? Studying Third-Party Blockage of CSP and SRI",
author = "Steffens, Marius and Musch, Marius and Johns, Martin and Stock, Ben",
booktitle="{Network and Distributed System Security Symposium (NDSS)}",
year="2021",
}