This document discusses Content Security Policy (CSP), including: 1. CSP is a mechanism that web applications can use to mitigate content injection vulnerabilities like XSS. CSP has gone through three levels, each introducing new directives and features. 2. An analysis of over 1 million top websites found that less than 5% have CSP policies configured, and most policies are not fully secure against content injection. 3. The document provides recommendations for implementing a strong CSP, such as defining default-src, avoiding unsafe-inline, whitelisting via hashes/nonces, and narrowing the policy whitelist. It also discusses goals for further improving CSP adoption and support.

1. Demystifying CSP
Ilya Nesterov, Shape Security
mailto: ilya@nesterov.us
@ilya_online

2. What does CSP stand for?
Content Security Policy (CSP) - a mechanism web
applications can use to mitigate a broad class of
content injection vulnerabilities, such as XSS.

3. CSP Level 1

4. CSP Level 1
• Policy delivery via HTTP header only
• Multiple CSP headers allowed
• Sandbox directive is optional
• script-src governs workers

5. CSP Level 2

6. New in CSP Level 2
• Policy delivery via <meta>
• New directives: child-src, form-action, frame-
ancestors, base-uri, plugin-types
• Source-expression supports hash and nonce
• host-source can use path for matching
• SecurityPolicyViolationEvent
• Extended violation report
• child-src governs workers

7. CSP Level 3

8. New in CSP Level 3
• New directives: manifest-src, worker-src,
report-to, block-mixed-content, upgrade-
insecure-requests, require-sri-for
• frame-src undeprecated
• New in source-expression: 'strict-dynamic'
• Changes in url and source-expression matching
algorithms
• Additional changes to violation reports

9. Browser compatibility CSP level 1

10. Browser compatibility CSP level 2

11. CSP directives compatibility matrix

12. Alexa top 1 000 000 data
• 1 000 000 sites landing pages
• 4515 sites have CSP policies
• 2339 individual policies
• 116 sites have CSP-RO (25 policies)
• 986 sites send violation reports
• 1323 sites use only frame-ancestors
• 102 upgrade-insecure-requests

13. CSP policies closer look

14. Alexa top 1 000 000 data
• 72.7% CSP (default-src OR script-src AND
object-src)
• 7.52% CSP (no unsafe-inline)
–1.84% whitelist via nonce/hash
• 3.04% CSP (nonce/hash + unsafe inline)

15. How to build good CSP
• Define default-src or script-src and object-src
• Say NO to ‘unsafe-inline’
• Whitelist via nonce/hash
• Narrow down whitelist
• strict-dynamic
• Get continuous feedback via violation reports

16. CSP what is next?
• Decrease deployment friction:
–‘strict-dynamic’
–middleware to build CSP automatically
–support for legacy software (LB, RP)
• Faster adoption of new standards by
Browsers
• Education and documentation
• More tools!

17. Resources:
• https://cspvalidator.org
• https://csp-evaluator.withgoogle.com/
• https://csp.withgoogle.com
• https://github.com/shapesecurity/salvation
• https://report-uri.io
• https://www.w3.org/TR/CSP3/
• https://www.w3.org/2011/webappsec/