This document discusses Content Security Policy (CSP), including:
1. CSP is a mechanism that web applications can use to mitigate content injection vulnerabilities like XSS. CSP has gone through three levels, each introducing new directives and features.
2. An analysis of over 1 million top websites found that less than 5% have CSP policies configured, and most policies are not fully secure against content injection.
3. The document provides recommendations for implementing a strong CSP, such as defining default-src, avoiding unsafe-inline, whitelisting via hashes/nonces, and narrowing the policy whitelist. It also discusses goals for further improving CSP adoption and support.
2. What does CSP stand for?
Content Security Policy (CSP) - a mechanism web
applications can use to mitigate a broad class of
content injection vulnerabilities, such as XSS.
8. New in CSP Level 3
• New directives: manifest-src, worker-src,
report-to, block-mixed-content, upgrade-
insecure-requests, require-sri-for
• frame-src undeprecated
• New in source-expression: 'strict-dynamic'
• Changes in url and source-expression matching
algorithms
• Additional changes to violation reports
14. Alexa top 1 000 000 data
• 72.7% CSP (default-src OR script-src AND
object-src)
• 7.52% CSP (no unsafe-inline)
–1.84% whitelist via nonce/hash
• 3.04% CSP (nonce/hash + unsafe inline)
15. How to build good CSP
• Define default-src or script-src and object-src
• Say NO to ‘unsafe-inline’
• Whitelist via nonce/hash
• Narrow down whitelist
• strict-dynamic
• Get continuous feedback via violation reports
16. CSP what is next?
• Decrease deployment friction:
–‘strict-dynamic’
–middleware to build CSP automatically
–support for legacy software (LB, RP)
• Faster adoption of new standards by
Browsers
• Education and documentation
• More tools!
CSP 1.1 working draft latest 11 February 2014 https://www.w3.org/TR/2014/WD-CSP11-20140211/ which evolved to CSP level 2
CSP level 1 - 11 November 2012
CSP level 2 - 21 July 2015
CSP level 3 - 13 September 2016 (latest working draft)
CSP level 1 is supported by major browsers, but it the issue is that CSP 1 missing support whitelisting inline scripts by nonce and hash which makes integrations hard for sites. Also as we discussed before it is missing many others important features. So let’s take a look on CSP level 2 browser compatibility matrix.
So, as you can see CSP level 2 support is missing or not fully implemented in many browsers. Despite it is fully supported in Chrome (which is great), but in summary other browsers have good piece of market, which we can see do not fully support CSP 2. But it is not that bad! The great news, that main pieces, like support for hash and digest in source expression and delivery in meta element is implemented in almost all browsers (new iOS and mac OS will close that spot or already closed,), but as all we know devil is in the details.
Many applications deployed for different domains like com, net .us etc and have the same policies, so I have to deduplicate them in a data set to not pollute results
116 sites have CSP-RO (25 individual non empty policy) and only 23 have report-uri
Only 986 sites want’s to analyze their policy violation reports, but when you drill down it came to 746 individual policies which uses 418 different endpoints
Another interesting data point is frame-ancestors directive which seems getting more attention because of better flexibility (you can whitelist different origins). Remember that this is CSP2 directive and is not supported by all browsers, so if you look on how many of sites have similar X-frame-options-data you’ll get following