On the Content Security Policy Violations due to the Same-Origin Policy

TL;DR

This paper investigates how Content Security Policy (CSP) can be violated due to interactions with the Same Origin Policy (SOP), revealing significant vulnerabilities in current browser implementations and proposing measures to prevent such violations.

Contribution

It provides the first large-scale analysis of CSP violations caused by SOP interactions, highlighting implementation discrepancies and suggesting mitigation strategies.

Findings

31.1% of CSP-enabled pages are potentially vulnerable to violations

23.5% of pages can experience CSP violations in nested browsing contexts

Identified divergence in browser enforcement of CSP in srcdoc sandboxed iframes

Abstract

Modern browsers implement different security policies such as the Content Security Policy (CSP), a mechanism designed to mitigate popular web vulnerabilities, and the Same Origin Policy (SOP), a mechanism that governs interactions between resources of web pages. In this work, we describe how CSP may be violated due to the SOP when a page contains an embedded iframe from the same origin. We analyse 1 million pages from 10,000 top Alexa sites and report that at least 31.1% of current CSP-enabled pages are potentially vulnerable to CSP violations. Further considering real-world situations where those pages are involved in same-origin nested browsing contexts, we found that in at least 23.5% of the cases, CSP violations are possible. During our study, we also identified a divergence among browsers implementations in the enforcement of CSP in srcdoc sandboxed iframes, which actually reveals a problem in Gecko-based browsers CSP implementation. To ameliorate the problematic conflicts of the security mechanisms, we discuss measures to avoid CSP violations.