Conference Venue: RAI Amsterdam, Europaplein 24, 1078 GZ Amsterdam, The Netherlands

Book Hotel click HERE
Back To Schedule
Friday, September 27 • 10:15am - 11:00am
Restricting the scripts, you're to blame, you give CSP a bad name

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
In a current research project, we investigated the longitudinal evolution of the Content Security Policy header over the course of the last seven years. Throughout this analysis of the 10.000 highly ranked sites, we conducted case studies that illustrate the struggle of Web sites that try to deploy a CSP in a secure fashion and examples of sites that give up on CSP. In addition to that, we shed light on the other security capabilities of CSP, especially regarding framing control and TLS enforcement. The CSP can be used to enforce that resources are only loaded via TLS secured connections. This can be achieved by either forbid the loading of HTTP resources by specifying the block-all-mixed-content directive in CSP or by using the upgrade-insecure-requests directive. This directive forces the automatic rewriting of all HTTP URLs to HTTPS upon page loading. This is useful to gracefully implement a transition from HTTP to HTTPS while preventing warnings and breakage due to the use of mixed content. Based on an analysis of live Web sites, we show that most sites could deploy upgrade-insecure-requests right now to avoid any mixed content without errors. In case of framing control, we have investigated that within the Top 10K sites 3,253 made use of XFO, whereas only 409 used frame-ancestors. Due to the inconsistencies of the XFO header, the protection of the 3,253 sites might be weaker in comparison to the protection offered by the frame-ancestors Web sites. The ALLOW-FROM mode of XFO is not supported in some of the major browsers (including Google Chrome). Thus, an operator that uses this mode would not secure all user of this browser, because unsupported headers will be ignored. In addition to that, the SAMEORIGIN mode of XFO is in some cases susceptible to so-called Double Framing attacks. This is caused by the fact that the XFO standard does not define whether the top-most frame, the parent frame, or even all frame ancestors (like the CSP directive) have to be hosted within the same origin. Due to this inconsistencies, we send notifications to 2700 Web sites that suffer from this problem. By investigating the responses, we were able to get valuable information regarding the roadblocks of CSP deployment in the wild. While most of the Web developers were aware of the protection that CSP can offer, they are massively intimidated by the complexity of CSPs content restriction. Due to this complexity or because of the unawareness of the additional capabilities of CSP, they do not consider framing control or TLS enforcement as legitimate use cases of the CSP. In this talk, we want to raise the awareness regarding issues of some of the widely used security header as well as presenting and explaining the more secure CSP alternatives for them. Furthermore, we want to involve the audience to discuss with us about their “horror stories” and roadblocks for CSP deployment such that we can build better tools and improve informational material regarding the CSP.

avatar for Sebastian Roth

Sebastian Roth

PhD Candidate, CISPA Helmholtz Center for Information Security
Sebastian Roth is a PhD student in the Information Security and Cryptography Group at the CISPA Helmholtz Center for Information Security, where he is supervised by Michael Backes. His research interest is focused on client-side Web Security as well as Usable Security for developers... Read More →

Friday September 27, 2019 10:15am - 11:00am CEST