Content Security Policy is a web platform mechanism designed
to mitigate cross-site scripting (XSS), the top security
vulnerability in modern web applications . In this paper,
we take a closer look at the practical benefits of adopting
CSP and identify significant flaws in real-world deployments
that result in bypasses in 94.72% of all distinct policies.
We base our Internet-wide analysis on a search engine corpus
of approximately 100 billion pages from over 1 billion
hostnames; the result covers CSP deployments on 1,680,867
hosts with 26,011 unique CSP policies – the most comprehensive
study to date. We introduce the security-relevant
aspects of the CSP specification and provide an in-depth
analysis of its threat model, focusing on XSS protections.
We identify three common classes of CSP bypasses and explain
how they subvert the security of a policy.
We then turn to a quantitative analysis of policies deployed
on the Internet in order to understand their security
benefits. We observe that 14 out of the 15 domains
most commonly whitelisted for loading scripts contain unsafe
endpoints; as a consequence, 75.81% of distinct policies
use script whitelists that allow attackers to bypass CSP. In
total, we find that 94.68% of policies that attempt to limit
script execution are ineffective, and that 99.34% of hosts
with CSP use policies that offer no benefit against XSS.
Finally, we propose the ’strict-dynamic’ keyword, an
addition to the specification that facilitates the creation of
policies based on cryptographic nonces, without relying on
domain whitelists. We discuss our experience deploying such
a nonce-based policy in a complex application and provide
guidance to web authors for improving their policies.