Sebastian Roth (CISPA Helmholtz Center for Information Security), Timothy Barron (Stony Brook University), Stefano Calzavara (Università Ca' Foscari Venezia), Nick Nikiforakis (Stony Brook University), Ben Stock (CISPA Helmholtz Center for Information Security)

The Content Security Policy (CSP) mechanism was developed as a mitigation against script injection attacks in 2010. In this paper, we leverage the unique vantage point of the Internet Archive to conduct a historical and longitudinal analysis of how CSP deployment has evolved for a set of 10,000 highly ranked domains. In doing so, we document the long-term struggle site operators face when trying to roll out CSP for content restriction and highlight that even seemingly secure whitelists can be bypassed through expired or typo domains. Next to these new insights, we also shed light on the usage of CSP for other use cases, in particular, TLS enforcement and framing control. Here, we find that CSP can be easily deployed to fit those security scenarios, but both lack wide-spread adoption. Specifically, while the underspecified and thus inconsistently implemented X-Frame-Options header is increasingly used on the Web, CSP's well-specified and secure alternative cannot keep up. To understand the reasons behind this, we run a notification campaign and subsequent survey, concluding that operators have often experienced the complexity of CSP (and given up), utterly unaware of the easy-to-deploy components of CSP. Hence, we find the complexity of secure, yet functional content restriction gives CSP a bad reputation, resulting in operators not leveraging its potential to secure a site against the non-original attack vectors.

View More Papers

Compliance Cautions: Investigating Security Issues Associated with U.S. Digital-Security...

Rock Stevens (University of Maryland), Josiah Dykstra (Independent Security Researcher), Wendy Knox Everette (Leviathan Security Group), James Chapman (Independent Security Researcher), Garrett Bladow (Dragos), Alexander Farmer (Independent Security Researcher), Kevin Halliday (University of Maryland), Michelle L. Mazurek (University of Maryland)

Read More

Automated Discovery of Cross-Plane Event-Based Vulnerabilities in Software-Defined Networking

Benjamin E. Ujcich (University of Illinois at Urbana-Champaign), Samuel Jero (MIT Lincoln Laboratory), Richard Skowyra (MIT Lincoln Laboratory), Steven R. Gomez (MIT Lincoln Laboratory), Adam Bates (University of Illinois at Urbana-Champaign), William H. Sanders (University of Illinois at Urbana-Champaign), Hamed Okhravi (MIT Lincoln Laboratory)

Read More

Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting

Soroush Karami (University of Illinois at Chicago), Panagiotis Ilia (University of Illinois at Chicago), Konstantinos Solomos (University of Illinois at Chicago), Jason Polakis (University of Illinois at Chicago)

Read More

MassBrowser: Unblocking the Censored Web for the Masses, by...

Milad Nasr (University of Massachusetts Amherst), Hadi Zolfaghari (University of Massachusetts Amherst), Amir Houmansadr (University of Massachusetts Amherst), Amirhossein Ghafari (University of Massachusetts Amherst)

Read More