A systematic study of content security policy in web applications

Abstract

Content Security Policy CSP is a popular and effective security mechanism against content injection vulnerabilities such as cross-site scripting for web applications. Unfortunately, there are many problems in analysis, design, and evaluation of CSP, which are hindering the wide adoption of CSP by real-world web applications. In this paper, we give a systematic study and propose workable solutions for these problems. We systemically analyze the methodology of CSP, namely how it works and prevents attacks. We present the security weaknesses in the methodology, namely which attacks it cannot prevent. We give the formalized definitions and proofs of the properties for theoretically accurate design and evaluation of CSP in web applications. We give a practical policy tool named ACSP to help developers or analysts to automatically design CSP with the best security and availability or exactly evaluate the security and availability of the used CSP in one or a number of web pages. We perform a large scale evaluation of the CSP policies in real-world applications. The most serious problem that we find out is that their policies only leverage a small part of security ability of CSP. Copyright © 2016 John Wiley & Sons, Ltd.