Last year we proved that the whitelist-based approach of Content Security Policy (CSP) is flawed and proposed an alternative based on ‘strict-dynamic’ in combination with nonces or hashes. This approach makes CSP radically easier to deploy and, at the same time, unleashes its full potential as an XSS mitigation mechanism.
In our academic paper (CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy, ACM CCS, 2016), we demonstrated, using automatic checks, that 94.72% of all real-world policies can be trivially bypassed by an attacker with an XSS bug. Furthermore, we found that 75.81% of all policies are bypassable due to whitelists.
Thanks to the new ‘strict-dynamic’ approach, we were finally able to deploy an effective policy to many important Google products, such as GMail, Photos, and others. In this presentation we would like to share our experience, show examples, best practices and common pitfalls.
Finally, we share how we are addressing the recent bypasses of nonce-based policies, such as nonce exfiltration/reuse techniques and dangling markup attacks.
Michele Spagnuolo
Lukas Weichselbaum