CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy

@article{Weichselbaum2016CSPID,
  title={CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy},
  author={Lukas Weichselbaum and M. Spagnuolo and Sebastian Lekies and A. Janc},
  journal={Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security},
  year={2016}
}
Content Security Policy is a web platform mechanism designed to mitigate cross-site scripting (XSS), the top security vulnerability in modern web applications. In this paper, we take a closer look at the practical benefits of adopting CSP and identify significant flaws in real-world deployments that result in bypasses in 94.72% of all distinct policies. We base our Internet-wide analysis on a search engine corpus of approximately 100 billion pages from over 1 billion hostnames; the result… Expand
57 Citations
Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies
  • 11
  • Highly Influenced
  • PDF
Semantics-Based Analysis of Content Security Policy Deployment
  • 17
  • PDF
On the Content Security Policy Violations due to the Same-Origin Policy
  • 15
  • Highly Influenced
  • PDF
A Tale of Two Headers: A Formal Analysis of Inconsistent Click-Jacking Protection on the Web
  • 3
  • PDF
CCSP: Controlled Relaxation of Content Security Policies by Runtime Policy Composition
  • 7
  • Highly Influenced
  • PDF
Reining in the Web's Inconsistencies with Site Policy
  • 1
  • Highly Influenced
  • PDF
Strenghtening Content Security Policy via Monitoring and URL Parameters Filtering
  • Highly Influenced
Warn if Secure or How to Deal with Security by Default in Software Development?
  • PDF
GUARDIA: specification and enforcement of javascript security policies without VM modifications
  • 3
  • PDF
...
1
2
3
4
5
...

References

SHOWING 1-4 OF 4 REFERENCES
Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks
  • 151
  • Highly Influential
  • PDF
Content security policy level 2
  • W3C Working Draft
  • 2014
Content security policy level 2. W3C Working Draft
  • Content security policy level 2. W3C Working Draft
  • 2014
Postcards from the post-xss world
  • Online at http://lcamtuf.coredump.cx/postxss
  • 2011