- From: Oda, Terri <terri.oda@intel.com>
- Date: Wed, 23 Jul 2014 11:26:19 -0700
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
This paper for RAID 2014 is fairly interesting and worth reading as we're moving into CSP 2: http://mweissbacher.com/publications/csp_raid.pdf To whet your appetites for reading some numbers about CSP enforcement in practice, here's a few tidbits: - They found that CSP is deployed in enforcement mode on only 1% of the Alexa Top 100. - Many of the sites using CSP were doing so due to using software that ships with it by default (they specifically call out phpMyAdmin and OwnCloud) - Their stats on CSP violation reports are somewhat interesting: lots of extension-related violation reports that were difficult to deal with. - They found that neither naive crawling nor manual browsing was enough to generate a CSP policy automatically, so creating an effective policy is still a partially manual process. Their recommendations: > Ads should be integrated into iframes instead of the main site. > Instead of whitelisting all possible ad networks or developing a mechanism for > recursive policy adoption, ads should be moved into sandboxed iframes. This > allows the main site to be protected with an effective policy, while the iframe can > be more permissive, but isolated. Conflating both the site proper and ads in the > same context is not necessary, since information required by ads can be passed via > postMessage cross-window communication. However, while not widely available, > alternatives such as Security Style Sheets [14] have been proposed that would > allow for such separation without moving content to iframes. > > > > More web applications and frameworks should adopt CSP. Introduc- > ing CSP to programs that are deployed widely can have a higher impact on the > overall security of the web as compared to individual websites adopting CSP. As > examples, phpMyAdmin and OwnCloud have adopted CSP, and Django can be > configured with CSP. Most desirable would be the introduction of CSP to web > frameworks, which could drastically improve adoption of CSP and the safety of > the web. > > > > Browsers should not enforce CSP on extensions. As discussed in Sec- > tion 4, enforcing policies on browser extensions generates many unexpected re- > ports for websites. Websites should not be forced to whitelist extensions since > the number of extensions and third-party resources included by those extensions > is theoretically unbounded and cannot be predicted by application developers. > Furthermore, CSP in its current form is not an adequate mechanism for websites > to block potentially undesired extensions and should not be used as such.
Received on Wednesday, 23 July 2014 18:26:48 UTC