Strenghtening Content Security Policy via Monitoring and URL Parameters Filtering

Abstract

Content Security Policy (CSP) is a security mechanism for mitigating content injection attacks. It makes it possible to specify the origins of content allowed to load in a webpage. Upon enforcement, CSP-compliant browsers would block content not matching the CSP. Previous works have demonstrated limitations of CSP that can lead to security violations. We observe that CSP bypasses (due to JSONP and open redirects) can be linked to the fact that in CSP specification, URL parameters are considered safe by default. In particular, the ability to bypass partially whitelisted origins using HTTP redirections has been rendered possible starting from CSP2 for privacy purposes (not to reveal redirection URLs), while this can lead to security holes. In this work, we discuss 4 extensions to strengthen CSP via a monitoring mechanism: the ability to selectively exclude whitelisted content, express more fine grained checks on URL arguments, explicitly prevent redirections to partially whitelisted origins, and an efficient reporting mechanism to collect content that are allowed by a CSP enforced on a webpage. We show that using CSP along with these extensions improves the security of web applications and overcomes known weaknesses of the current CSP specification. We demonstrate the feasibility of our proposals by an implementation using service workers.