CISPA
Browse
cispa_all_3337.pdf (430.43 kB)

Who's Hosting the Block Party? Studying Third-Party Blockage of CSP and SRI

Download (430.43 kB)
conference contribution
posted on 2023-11-29, 18:15 authored by Marius Steffens, Marius Musch, Martin Johns, Ben StockBen Stock
The Web has grown into the most widely used application platform for our daily lives. First-party Web applications thrive due to many different third parties they rely on to provide auxiliary functionality, like maps or ads, to their sites. In this paper, we set out to understand to what extent this outsourcing has adverse effects on two key security mechanisms, namely Content Security Policy (CSP; to mitigate XSS) and Subresource Integrity (SRI; to mitigate third-party compromises) by conducting a longitudinal study over 12 weeks on 10,000 top sites. Under the assumption that a first party wants to deploy CSP and SRI and is able to make their code base compliant with these mechanisms, we assess how many sites could fully deploy the mechanisms without cooperation from their third parties. For those unable to do so without cooperation, we also measure how many third parties would jointly have to make their code compliant to enable first-party usage of CSP and SRI. To more accurately depict trust relations, we rely on holistic views into inclusion chains within all pages of the investigated sites. In addition, based on a combination of heuristics and manual validation, we identify different eTLD+1s belonging to the same business entity, allowing us to more accurately discerning parties from each other. Doing so, we show that the vast majority of sites includes third-party code which necessitates the use of unsafe-inline (75%) or unsafe-eval (61%), or makes deployment of strict-dynamic impossible (76%) without breakage of functionality. For SRI, based on the analysis of a single snapshot (within less than 12 hours), we also show that more than half of all sites cannot fully rely on SRI to protect them from third-party compromise due to randomized third-party content.

History

Preferred Citation

Marius Steffens, Marius Musch, Martin Johns and Ben Stock. Who's Hosting the Block Party? Studying Third-Party Blockage of CSP and SRI. In: Network and Distributed System Security Symposium (NDSS). 2021.

Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

Network and Distributed System Security Symposium (NDSS)

Legacy Posted Date

2020-12-22

Open Access Type

  • Unknown

BibTeX

@inproceedings{cispa_all_3337, title = "Who's Hosting the Block Party? Studying Third-Party Blockage of CSP and SRI", author = "Steffens, Marius and Musch, Marius and Johns, Martin and Stock, Ben", booktitle="{Network and Distributed System Security Symposium (NDSS)}", year="2021", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC