Abstract:
Content Security Policy (CSP) is an HTTP(S) response header that developers can use to harden the security of their web applications. It specifies a set of rules which govern the inclusion of resources in a web application [15]. This helps to reduce the impact or even eliminate many effects of attacks like Cross-Site-Scripting (XSS) by restricting which scripts are allowed to be loaded or executed [14]. Other attacks like Clickjacking and Man-in-the-Middle (MitM) attacks can be mitigated, too [14, 22].
However, as Roth et al. have shown, controlling script execution is often perceived as too complex, which results in developers ignoring CSP completely [14]. This results in low adoption of CSP in general [14]. Roth et al. also show that the old deprecated X-Frame-Options (XFO) header, despite being a security risk, is still more popular than CSP’s newer equivalent [14].
Roth et al. ended their study at the end of 2018 [14]. We construct a dataset similar to Roth et al. starting in July 2020 and ending in September 2022 and analyze how the adoption of CSP and the adoption of its use cases has changed over the past two years. Furthermore, we define levels of security for a CSP against XSS and analyze the effectiveness of deployed CSPs based on them. Our results show that while the general adoption of CSP and the adoption of all use cases is increasing, most CSPs are ineffective against XSS. Roth et al. also show that the adoption of features like ’strict-dynamic’ that were added to ease the adoption of a secure CSP are often ignored [14]. We observe a similar situation, which results in most CSPs being ineffective against XSS.