W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

"Why is CSP failing? Trends and Challenges in CSP Adoption"

From: Oda, Terri <terri.oda@intel.com>
Date: Wed, 23 Jul 2014 11:26:19 -0700
Message-ID: <CACoC0R_drRYe+AX051G+4j=F3jUzy5+FcRwu-zPNkX7TWkYUrw@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
This paper for RAID 2014 is fairly interesting and worth reading as
we're moving into CSP 2:


To whet your  appetites for reading some numbers about CSP enforcement
in practice,
here's a few tidbits:

- They found that CSP is deployed in enforcement mode on only 1% of
the Alexa Top 100.
- Many of the sites using CSP were doing so due to using software that
ships with it by default (they specifically call out phpMyAdmin and
- Their stats on CSP violation reports are somewhat interesting: lots
of extension-related violation reports that were difficult to deal
- They found that neither naive crawling nor manual browsing was
enough to generate a CSP policy automatically, so creating an
effective policy is still a partially manual process.

Their recommendations:

> Ads should be integrated into iframes instead of the main site.
> Instead of whitelisting all possible ad networks or developing a mechanism for
> recursive policy adoption, ads should be moved into sandboxed iframes. This
> allows the main site to be protected with an effective policy, while the iframe can
> be more permissive, but isolated. Conflating both the site proper and ads in the
> same context is not necessary, since information required by ads can be passed via
> postMessage cross-window communication. However, while not widely available,
> alternatives such as Security Style Sheets [14] have been proposed that would
> allow for such separation without moving content to iframes.
> More web applications and frameworks should adopt CSP. Introduc-
> ing CSP to programs that are deployed widely can have a higher impact on the
> overall security of the web as compared to individual websites adopting CSP. As
> examples, phpMyAdmin and OwnCloud have adopted CSP, and Django can be
> configured with CSP. Most desirable would be the introduction of CSP to web
> frameworks, which could drastically improve adoption of CSP and the safety of
> the web.
> Browsers should not enforce CSP on extensions. As discussed in Sec-
> tion 4, enforcing policies on browser extensions generates many unexpected re-
> ports for websites. Websites should not be forced to whitelist extensions since
> the number of extensions and third-party resources included by those extensions
> is theoretically unbounded and cannot be predicted by application developers.
> Furthermore, CSP in its current form is not an adequate mechanism for websites
> to block potentially undesired extensions and should not be used as such.
Received on Wednesday, 23 July 2014 18:26:48 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC