- From: Stefano Calzavara <calzavara@dais.unive.it>
- Date: Fri, 9 Jun 2017 10:16:13 +0200
- To: public-webappsec@w3.org
- Message-ID: <CAGVWdyUCVM+BNpJekUvtr-_HCisROuk4OF7AjWMPTqzC+Ha+0Q@mail.gmail.com>
Dear WebAppSec members, our research group at Università Ca' Foscari Venezia has been working on CSP during the last few months. Based on the analysis of real-world scenarios, we observed that the static nature of CSP white-lists creates troubles at configuring CSP correctly. Strict CSP (based on nonces) is definitely a step in the right direction, but we believe it does not solve all the issues we found in the wild, such as HTTP redirects and advertisements. We are thus proposing Compositional CSP, an extension of CSP where the enforced content security policy is built from an initial policy written by the page developers and the policies supplied by the providers of the included contents. The results of our research will be presented at USENIX Security 2017, you can find a pre-print of the paper attached to the present email. I hope you will enjoy the reading and that our idea could be inspiring to address the expressiveness issues of CSP we identified. Do you think Compositional CSP could be helpful in real browsers? Best, -- Stefano
Attachments
- application/pdf attachment: main.pdf
Received on Friday, 9 June 2017 08:16:49 UTC