A study from Google showed that Content Security Policy is being so poorly implemented as to make it worthless on the vast majority of sites where it’s used. The problem is not with the functionality CSP makes available, but with the particular policies chosen by developers and site owners. Most are configuring CSP so poorly that they might as well not have bothered with it at all.
To help developers implement smarter CSP policies, Google has introduced a new tool – the CSP Evaluator – which detects badly configured policies and helps developers understand the effect that configuration changes may have. It’s a simple tool, and hopefully it’ll help developers get CSP right.
Content Security Policy is, among other things, intended to protect websites against cross-site scripting attacks.
To take a pertinent example: a serious cross-site scripting vulnerability was recently discovered in the extremely popular W3 Total Cache WordPress plugin. The plugin adds a support form to the WordPress admin area. The form’s fields can be filled in via URL parameters. Data added to fields via a URL parameter is displayed without being escaped, so an attacker can insert code, have it displayed on the page, and therefore executed in the browser. If an attacker can influence a user with admin privileges to click on a crafted link, it’s game-over for that site.
Of course, that assumes they know that CSP Validator exists and don’t ignore what it tells them. Millions of websites and users are put at risk because of cross-site scripting attacks. Given the fallibility of developers (and people generally), it’s unlikely that XSS attacks will be eradicated. CSP is an essential security tool for the modern web. Developers have a responsibility to understand how to use it and the potential implications of using it incorrectly.