Injecting CSP for Fun and Security

Christoph Kerschbaumer; Sid Stamm; Stefan Brunthaler

Research.Publish.Connect.

*Please fill out at least one Field. *Value must be an number!

Title:
ISBN:
Year:
Acronym:
Subject:

Advanced Search Proceedings Search

If you're looking for an exact phrase use quotation marks on text fields.

*Please fill out at least one Field.

Title:
Author:
Affiliation:
Subject:

Advanced Search Papers Search

If you're looking for an exact phrase use quotation marks on text fields.

*Please fill out at least one Field.

Name:
Affiliation:
Country:
Conference:
Subject:

Advanced Search Authors Search

If you're looking for an exact phrase use quotation marks on text fields.

*Please fill out at least one Field.

Name:
Country:
Subject:

Advanced Search Affiliations Search

If you're looking for an exact phrase use quotation marks on text fields.

Proceedings

Proceedings Search *Please fill out at least one Field. *Value must be an number!

Title:
ISBN:
Year:
Acronym:
Subject:

Advanced Search Proceedings Search

If you're looking for an exact phrase use quotation marks on text fields.

Papers

Papers Search *Please fill out at least one Field.

Title:
Author:
Affiliation:
Subject:

Advanced Search Papers Search

If you're looking for an exact phrase use quotation marks on text fields.

Authors

Authors Search *Please fill out at least one Field.

Name:
Affiliation:
Country:
Conference:
Subject:

Advanced Search Authors Search

If you're looking for an exact phrase use quotation marks on text fields.

Advanced Search

Paper

Injecting CSP for Fun and Security

Topics: Security Awareness and Education; Security Frameworks, Architectures and Protocols; Security Professionalism and Practice; Threat Awareness; Web Applications and Services

In Proceedings of the 2nd International Conference on Information Systems Security and Privacy ICISSP - Volume 1, 15-25, 2016 , Rome, Italy

Authors: Christoph Kerschbaumer ¹ ; Sid Stamm ² and Stefan Brunthaler ³

Affiliations: ¹ Mozilla Corporation, United States ; ² Rose-Hulman Institute of Technology, United States ; ³ SBA Research, Austria

Keyword(s): Web Browser Security, Content-Security-Policy (CSP), Cross Site Scripting (XSS).

Abstract: Content Security Policy (CSP) defends against Cross Site Scripting (XSS) by restricting execution of JavaScript to a set of trusted sources listed in the CSP header. A high percentage (90%) of sites among the Alexa top 1,000 that deploy CSP use the keyword unsafe-inline, which permits all inline scripts to run—including attacker–injected scripts—making CSP ineffective against XSS attacks. We present a system that constructs a CSP policy for web sites by whitelisting only expected content scripts on a site. When deployed, this auto-generated CSP policy can effectively protect a site’s visitors from XSS attacks by blocking injected (non-whitelisted) scripts from being executed. While by no means perfect, our system can provide significantly improved resistance to XSS for sites not yet using CSP.

CC BY-NC-ND 4.0

Guest: Register as new SciTePress user now for free.

SciTePress user: please login.

My Papers

You are not signed in, therefore limits apply to your IP address 18.119.141.115

In the current month:

Recent papers: 100 available of 100 total

2⁺ years older papers: 200 available of 200 total

Paper citation in several formats:

Kerschbaumer, C.; Stamm, S. and Brunthaler, S. (2016). Injecting CSP for Fun and Security. In Proceedings of the 2nd International Conference on Information Systems Security and Privacy - ICISSP; ISBN 978-989-758-167-0; ISSN 2184-4356, SciTePress, pages 15-25. DOI: 10.5220/0005650100150025

@conference{icissp16,
author={Christoph Kerschbaumer. and Sid Stamm. and Stefan Brunthaler.},
title={Injecting CSP for Fun and Security},
booktitle={Proceedings of the 2nd International Conference on Information Systems Security and Privacy - ICISSP},
year={2016},
pages={15-25},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005650100150025},
isbn={978-989-758-167-0},
issn={2184-4356},
}

TY - CONF

JO - Proceedings of the 2nd International Conference on Information Systems Security and Privacy - ICISSP
TI - Injecting CSP for Fun and Security
SN - 978-989-758-167-0
IS - 2184-4356
AU - Kerschbaumer, C.
AU - Stamm, S.
AU - Brunthaler, S.
PY - 2016
SP - 15
EP - 25
DO - 10.5220/0005650100150025
PB - SciTePress