Google Content Security Policy Validator Will Help Developers Get CSP Right

A study from Google showed that Content Security Policy is being so poorly implemented as to make it worthless on the vast majority of sites where it’s used. The problem is not with the functionality CSP makes available, but with the particular policies chosen by developers and site owners. Most are configuring CSP so poorly that they might as well not have bothered with it at all.

To help developers implement smarter CSP policies, Google has introduced a new tool – the CSP Evaluator – which detects badly configured policies and helps developers understand the effect that configuration changes may have. It’s a simple tool, and hopefully it’ll help developers get CSP right.

Content Security Policy is, among other things, intended to protect websites against cross-site scripting attacks.

To take a pertinent example: a serious cross-site scripting vulnerability was recently discovered in the extremely popular W3 Total Cache WordPress plugin. The plugin adds a support form to the WordPress admin area. The form’s fields can be filled in via URL parameters. Data added to fields via a URL parameter is displayed without being escaped, so an attacker can insert code, have it displayed on the page, and therefore executed in the browser. If an attacker can influence a user with admin privileges to click on a crafted link, it’s game-over for that site.

Until the developer fixes the vulnerability and more than a million sites update, a huge chunk of the web is vulnerable to an attack that anyone with a modicum of JavaScript ability can carry out.

This is exactly the sort of attack that CSP is intended to prevent. By default, CSP will prevent inline JavaScript from running at all. Even if an attacker can get unescaped JavaScript onto a webpage, CSP will prevent it from running. Unfortunately, hundreds of thousands of the sites running CSP disable this functionality. Even though they use CSP, they’re vulnerable.

It’s speculated that many developer’s deliberately misconfigure CSP because they don’t want to refactor their web pages to remove inline JavaScript. Hopefully, Google’s CSP Validator will at least inform conscientious developers of the risks of allowing inline JavaScript.

Of course, that assumes they know that CSP Validator exists and don’t ignore what it tells them. Millions of websites and users are put at risk because of cross-site scripting attacks. Given the fallibility of developers (and people generally), it’s unlikely that XSS attacks will be eradicated. CSP is an essential security tool for the modern web. Developers have a responsibility to understand how to use it and the potential implications of using it incorrectly.

Comments

comments

Leave a Reply

Your email address will not be published. Required fields are marked *