skip to main content
10.1145/3038912.3052634acmotherconferencesArticle/Chapter ViewAbstractPublication PagesthewebconfConference Proceedingsconference-collections
research-article

On the Content Security Policy Violations due to the Same-Origin Policy

Published: 03 April 2017 Publication History

Abstract

Modern browsers implement different security policies such as the Content Security Policy (CSP), a mechanism designed to mitigate popular web vulnerabilities, and the Same Origin Policy (SOP), a mechanism that governs interactions between resources of web pages.
In this work, we describe how CSP may be violated due to the SOP when a page contains an embedded iframe from the same origin. We analyse 1 million pages from 10,000 top Alexa sites and report that at least 31.1% of current CSP-enabled pages are potentially vulnerable to CSP violations. Further considering real-world situations where those pages are involved in same-origin nested browsing contexts, we found that in at least 23.5% of the cases, CSP violations are possible.
During our study, we also identified a divergence among browsers implementations in the enforcement of CSP in srcdoc sandboxed iframes, which actually reveals a problem in Gecko-based browsers CSP implementation. To ameliorate the problematic conflicts of the security mechanisms, we discuss measures to avoid CSP violations.

References

[1]
Chrome Platform Status. https://www.chromestatus.com/metrics/feature/ popularity#DocumentSetDomain.
[2]
CSP violations online. https://webstats.inria.fr?cspviolations.
[3]
Same Origin Policy. https://www.w3.org/Security/wiki/Same_Origin_Policy .
[4]
S. V. Acker, D. Hausknecht, and A. Sabelfeld. Data Exfiltration in the Face of CSP. In X. Chen, X. Wang, and X. Huang, editors, Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2016, Xi'an, China, May 30-June 3, 2016, pages 853--864. ACM, 2016.
[5]
S. Calzavara, A. Rabitti, and M. Bugliesi. Content Security Problems?: Evaluating the Effectiveness of Content Security Policy in the Wild. In Weippl et al. {23}, pages 1365--1375.
[6]
A. Doupé, W. Cui, M. H. Jakubowski, M. Peinado, C. Kruegel, and G. Vigna. deDacota: toward preventing server-side XSS via automatic code and data separation. In A. Sadeghi, V. D. Gligor, and M. Yung, editors, 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS'13, Berlin, Germany, November 4-8, 2013, pages 1205--1216. ACM, 2013.
[7]
D. Hausknecht, J. Magazinius, and A. Sabelfeld. May I? - Content Security Policy Endorsement for Browser Extensions. In M. Almgren, V. Gulisano, and F. Maggi, editors, Detection of Intrusions and Malware, and Vulnerability Assessment - 12th International Conference, DIMVA 2015, Milan, Italy, July 9-10, 2015, Proceedings, volume 9148 of Lecture Notes in Computer Science, pages 261--281. Springer, 2015.
[8]
A. Hidayat. PhantomJS Headless Browser, 2010--2016.
[9]
C. Jackson and A. Barth. Beware of Finer-Grained Origins. In Web 2.0 Security and Privacy (W2SP 2008), 2008.
[10]
A. Javed. CSP Aider: An Automated Recommendation of Content Security Policy for Web Applications. In IEEE Oakland Web 2.0 Security and Privacy (W2SP'12), 2012.
[11]
M. Johns. PreparedJS: Secure Script-Templates for JavaScript. In Detection of Intrusions and Malware, and Vulnerability Assessment - 10th International Conference, DIMVA 2013, Berlin, Germany, July 18-19, 2013. Proceedings, pages 102--121, 2013.
[12]
C. Kerschbaumer, S. Stamm, and S. Brunthaler. Injecting CSP for Fun and Security. In O. Camp, S. Furnell, and P. Mori, editors, Proceedings of the 2nd International Conference on Information Systems Security and Privacy (ICISSP 2016), Rome, Italy, February 19-21, 2016., pages 15--25. SciTePress, 2016.
[13]
X. Pan, Y. Cao, S. Liu, Y. Zhou, Y. Chen, and T. Zhou. CSPAutoGen: Black-box Enforcement of Content Security Policy upon Real-world Websites. In Weippl et al. {23}, pages 653--665.
[14]
K. Patil and B. Frederik. A Measurement Study of the Content Security Policy on Real-World Applications. I. J. Network Security, 18(2):383--392, 2016.
[15]
N. Perriault. CasperJS navigation and scripting tool for PhantomJS, 2011--2016.
[16]
G. Rydstedt, E. Bursztein, D. Boneh, and C. Jackson. Busting frame busting: a study of clickjacking vulnerabilities at popular sites. In in IEEE Oakland Web 2.0 Security and Privacy (W2SP 2010), 2010.
[17]
K. Singh, A. Moshchuk, H. J. Wang, and W. Lee. On the Incoherencies in Web Browser Access Control Policies. In 31st IEEE Symposium on Security and Privacy, S&P 2010, 16-19 May 2010, Berleley/Oakland, California, USA, pages 463--478, 2010.
[18]
D. F. Some, N. Bielova, and T. Rezk. On the Content Security Policy violations due to the Same-Origin Policy. Technical report. http://www-sop.inria.fr/ members/Nataliia.Bielova/papers/CSP-SOP.pdf.
[19]
S. Stamm, B. Sterne, and G. Markham. Reining in the web with content security policy. In M. Rappa, P. Jones, J. Freire, and S. Chakrabarti, editors, Proceedings of the 19th International Conference on World Wide Web, WWW 2010, Raleigh, North Carolina, USA, April 26-30, 2010, pages 921--930. ACM, 2010.
[20]
N. Swamy, C. Fournet, A. Rastogi, K. Bhargavan, J. Chen, P. Strub, and G. M. Bierman. Gradual typing embedded securely in JavaScript. In S. Jagannathan and P. Sewell, editors, The 41st Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL '14, San Diego, CA, USA, January 20-21, 2014, pages 425--438. ACM, 2014.
[21]
A. van Kesteren. Cross Origin Resource Sharing. W3C Recommendation, 2014.
[22]
L. Weichselbaum, M. Spagnuolo, S. Lekies, and A. Janc. CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy. In Weippl et al. {23}, pages 1376--1387.
[23]
E. R. Weippl, S. Katzenbeisser, C. Kruegel, A. C. Myers, and S. Halevi, editors. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24-28, 2016 . ACM, 2016.
[24]
M. Weissbacher, T. Lauinger, and W. K. Robertson. Why Is CSP Failing? Trends and Challenges in CSP Adoption. In Research in Attacks, Intrusions and Defenses - 17th International Symposium, RAID 2014, Gothenburg, Sweden, September 17-19, 2014. Proceedings, pages 212--233, 2014.
[25]
M. West. Content Security Policy: Embedded Enforcement, 2016.
[26]
M. West. Content Security Policy Level 3. W3C Working Draft, 2016.
[27]
M. West. Origin Policy. A Collection of Interesting Ideas, 2016.
[28]
M. West, A. Barth, and D. Veditz. Content Security Policy Level 2. W3C Candidate Recommendation, 2015.
[29]
M. West and I. Grigorik. Feature Policy. W3C Draft Community Group Report, 2016.
[30]
I. Yusof and A. K. Pathan. Mitigating Cross-Site Scripting Attacks with a Content Security Policy. IEEE Computer, 49(3):56--63, 2016.

Cited By

View all
  • (2023)WebSpec: Towards Machine-Checked Analysis of Browser Security Mechanisms2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179465(2761-2779)Online publication date: May-2023
  • (2023)Coverage and Secure Use Analysis of Content Security Policies via Clustering2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP57164.2023.00032(411-428)Online publication date: Jul-2023
  • (2023)The Nonce-nce of Web Security: An Investigation of CSP Nonces ReuseComputer Security. ESORICS 2023 International Workshops10.1007/978-3-031-54129-2_27(459-475)Online publication date: 25-Sep-2023
  • Show More Cited By

Index Terms

  1. On the Content Security Policy Violations due to the Same-Origin Policy

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Other conferences
    WWW '17: Proceedings of the 26th International Conference on World Wide Web
    April 2017
    1678 pages
    ISBN:9781450349130

    Sponsors

    • IW3C2: International World Wide Web Conference Committee

    In-Cooperation

    Publisher

    International World Wide Web Conferences Steering Committee

    Republic and Canton of Geneva, Switzerland

    Publication History

    Published: 03 April 2017

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. content security policy
    2. same origin policy
    3. security and privacy
    4. web application security

    Qualifiers

    • Research-article

    Conference

    WWW '17
    Sponsor:
    • IW3C2

    Acceptance Rates

    WWW '17 Paper Acceptance Rate 164 of 966 submissions, 17%;
    Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)30
    • Downloads (Last 6 weeks)1
    Reflects downloads up to 19 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2023)WebSpec: Towards Machine-Checked Analysis of Browser Security Mechanisms2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179465(2761-2779)Online publication date: May-2023
    • (2023)Coverage and Secure Use Analysis of Content Security Policies via Clustering2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP57164.2023.00032(411-428)Online publication date: Jul-2023
    • (2023)The Nonce-nce of Web Security: An Investigation of CSP Nonces ReuseComputer Security. ESORICS 2023 International Workshops10.1007/978-3-031-54129-2_27(459-475)Online publication date: 25-Sep-2023
    • (2021)12 Angry Developers - A Qualitative Study on Developers' Struggles with CSPProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484780(3085-3103)Online publication date: 12-Nov-2021
    • (2021)The Remote on the Local: Exacerbating Web Attacks Via Service Workers Caches2021 IEEE Security and Privacy Workshops (SPW)10.1109/SPW53761.2021.00062(432-443)Online publication date: May-2021
    • (2021)Neither Good nor Bad: A Large-Scale Empirical Analysis of HTTP Security Response HeadersTrust, Privacy and Security in Digital Business10.1007/978-3-030-86586-3_6(83-95)Online publication date: 1-Sep-2021
    • (2020)JSCSP: a Novel Policy-Based XSS Defense Mechanism for BrowsersIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2020.3009472(1-1)Online publication date: 2020
    • (2020)Hardening Firefox against Injection Attacks2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW51379.2020.00094(653-663)Online publication date: Sep-2020
    • (2020)Verification of the IBOS Browser Security Properties in Reachability LogicRewriting Logic and Its Applications10.1007/978-3-030-63595-4_10(176-196)Online publication date: 11-Dec-2020
    • (2018)A Long Way to the TopProceedings of the Internet Measurement Conference 201810.1145/3278532.3278574(478-493)Online publication date: 31-Oct-2018
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media