Monday, November 7, 2011

How I learned to stop worrying and embrace Content-Security-Policy

This week, the W3C Web Application Security working group held its first face-to-face meeting at TPAC, the W3C's annual technical meeting.  The main topic of discussion was moving Content-Security-Policy (CSP) from an unofficial draft onto the standards track.  I'm actually pretty excited about CSP now, but I wasn't always its biggest fan.

CSP has a bunch of features, but the core value proposition (in my view) is that web applications can whitelist where their scripts come from.  The main drawback of this approach is that authors need to remove all inline script from their web application because the browser doesn't know whether an inline script is part of the application or whether it was injected as part of a cross-site scripting (XSS) attack.

Initially, I was skeptical about CSP for two reasons:
  1. CSP has a bunch of functionality unrelated to mitigating XSS, which makes the feature more complicated than necessary.  Because I'm a big believer in minimal viable products, my initial reaction was to remove all the extra functionality and focus on the core use case for the first iteration.
  2. I was worried that removing all the inline scripts from a web application would be too hard because web applications use inline scripts frequently.  Joel Weinberger, Dawn Song, and I even wrote a paper exploring that issue.
I still view those criticisms as fair, but I worry less about those issues.  By and large, the early adopters I've worked with have been able to use CSP effectively, which is some evidence that the extra complexity isn't the end of the world.  I've also now built and retrofitted a number of non-trivial web applications to avoid inline script.  It's a fair amount of work, certainly, but not an insurmountable task.

Thanks to some great work by Thomas Sepez, Chrome now uses CSP in the vast majority its HTML-based user interfaces.  Over the years, there has been a steady trickle of XSS vulnerabilities in these interfaces, which is problematic because these interfaces (such as the browser's settings interface) have powerful privileges.  Now that Chrome uses CSP extensively, we can be confident that we've mitigated this entire class of vulnerabilities.

My perspective on CSP now is that it makes a serious dent in one of the biggest problems in web security.  It's definitely not a silver bullet (nothing ever is), but we should invest in CSP because we should be working on the big problems.  If we're not willing to dream big, we should just pack up our tent and go home.


  1. I just found your blog, and I already find it very interesting and useful. Keep blogging. I'll keep reading.

  2. No doubt, this has actually been the best and foremost important thing to follow out, this has actually ended up my good day, I was searching quite relevant to that. See essay paper for best Papers.

  3. It's in reality a great and useful piece of info. I'm glad that you shared this useful info with us. Please stay us informed like this. Thank you for sharing. Visit business phone calls for best Phone Calls.

  4. Thanks for sharing this. I enjoy reading it. Keep it up! Send Flowers To Pune

  5. This is a great post ! it was very informative. I look forward in reading more of your work. Also, I made sure to bookmark your website so I can come back later. I enjoyed every moment of reading it.
    baju batik modern baju batik baju batik wanita batik pekalongan batik couple batik online batik modern gamis batik