On the Content Security Policy Violations due to the Same-Origin Policy

  title={On the Content Security Policy Violations due to the Same-Origin Policy},
  author={Doli{\`e}re Francis Som{\'e} and Nataliia Bielova and Tamara Rezk},
  journal={Proceedings of the 26th International Conference on World Wide Web},
Modern browsers implement different security policies such as the Content Security Policy (CSP), a mechanism designed to mitigate popular web vulnerabilities, and the Same Origin Policy (SOP), a mechanism that governs interactions between resources of web pages. In this work, we describe how CSP may be violated due to the SOP when a page contains an embedded iframe from the same origin. We analyse 1 million pages from 10,000 top Alexa sites and report that at least 31.1% of current CSP-enabled… 

Figures and Tables from this paper

Reining in the Web's Inconsistencies with Site Policy

This paper formalizes inconsistencies for cookie security attributes, CSP and HSTS, and quantifies the magnitude and impact of inconsistencies at scale by crawling 15,000 popular sites and proposes Site Policy, designed to overcome Origin Policy’s shortcomings and make any insecurity explicit.

Strenghtening Content Security Policy via Monitoring and URL Parameters Filtering

4 extensions to strengthen CSP via a monitoring mechanism: the ability to selectively exclude whitelisted content, express more fine grained checks on URL arguments, explicitly prevent redirections to partially Whitelisted origins, and an efficient reporting mechanism to collect content that are allowed by a CSP enforced on a webpage are discussed.

Semantics-Based Analysis of Content Security Policy Deployment

A systematic, large-scale analysis of the effectiveness of the current CSP deployment, using the formal semantics for the latest stable version of the standard, CSP Level 2, to substantiate the methodology and assess the impact of the detected issues.

CCSP: Controlled Relaxation of Content Security Policies by Runtime Policy Composition

This paper presents Compositional CSP, an extension of CSP based on runtime policy composition that is designed to overcome the limitations arising from the use of static white-lists, while avoiding a major overhaul of C SP and the logic underlying policy writing.

Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies

A historical and longitudinal analysis of how CSP deployment has evolved for a set of 10,000 highly ranked domains finds the complexity of secure, yet functional content restriction gives CSP a bad reputation, resulting in operators not leveraging its potential to secure a site against the non-original attack vectors.

Assessing the Impact of Script Gadgets on CSP at Scale

Is securely deploying CSP even possible without a priori knowledge of all files hosted on even a partially trusted origin?

WebSpec: Towards Machine-Checked Analysis of Browser Security Mechanisms

Weshowcase the effectiveness of WebSpec by discovering two new logical Maw caused by the interaction of different browser mechanisms and by identifying three previously discovered logical Maw in the current Web platform, as well as in old versions.

The Remote on the Local: Exacerbating Web Attacks Via Service Workers Caches

This paper presents the first security analysis of the threats posed by this programming practice, identifying an attack with major security implications which enables new threats which are beyond the scope of traditional XSS.

Hardening Firefox against Injection Attacks

This work studies common threats to discover common threats and explains how to address them systematically to harden Firefox.

12 Angry Developers - A Qualitative Study on Developers' Struggles with CSP

To uncover the root causes behind the omnipresent misconfiguration of CSP, a qualitative study involving 12 real-world Web developers was conducted, able to identify the participant's misconceptions regarding the attacker model covered by CSP as well as roadblocks for secure deployment or strategies used to create a CSP.



May I? - Content Security Policy Endorsement for Browser Extensions

A large-scale empirical study of all free extensions from Google's Chrome web store uncovers three classes of vulnerabilities arising from the tension between the power of extensions and CSP intended by web pages: third party code inclusion, enabling XSS, and user profiling.

CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy

The "strict-dynamic" keyword is proposed, an addition to the CSP specification that facilitates the creation of policies based on cryptographic nonces, without relying on domain whitelists, in order to understand their security benefits.

Reining in the web with content security policy

This work presents content restrictions, and a content restrictions enforcement scheme called Content Security Policy (CSP), which intends to be one such layer of real world security in layers, and shows how a system such as CSP can be effective to lock down sites and provide an early alert system for vulnerabilities on a web site.

Content Security Problems?: Evaluating the Effectiveness of Content Security Policy in the Wild

A systematic, large-scale analysis of four key aspects that impact on the effectiveness of CSP: browser support, website adoption, correct configuration and constant maintenance, which argues that many of these problems can be fixed by better exploiting the monitoring facilities of C SP.

A Measurement Study of the Content Security Policy on Real-World Applications

Measurements on a large corpus of web applications pro-vide a key insight on the amount of efforts web developers required to adapt to CSP and identified errors in CSP policies that are set by website developers on their websites.

CSPAutoGen: Black-box Enforcement of Content Security Policy upon Real-world Websites

This work proposes CSPAutoGen to enable CSP in real-time, without server modifications, and being compatible with real-world websites, and conducts extensive case studies on five popular websites, indicating that CSP autoGen can preserve the behind-the-login functionalities.

On the Incoherencies in Web Browser Access Control Policies

This paper analyzes three major access control flaws in today's browsers and builds WebAnalyzer, a crawler-based framework for measuring real-world usage of browser features, and used it to study the top 100,000 popular web sites ranked by Alexa.

Injecting CSP for Fun and Security

This work presents a system that constructs a CSP policy for web sites by whitelisting only expected content scripts on a site, and can provide significantly improved resistance to XSS for sites not yet using CSP.

Beware of Finer-Grained Origins

It is demonstrated that attackers can circumvent these "finergrained origins" using the library import and data export features of browsers using the browser's built-in isolation between security contexts.

CSP AiDer : An Automated Recommendation of Content Security Policy for Web Applications

This work presents the first automated approach for the construction of content security policies in web applications, and has contributed in the recommendation of CSPs of more than 10000 web sites.