Thumbnail Image
Publication

Toward secure content security policy deployment

Ren, Mengxia
Citations
Altmetric:
Advisor
Yue, Chuan
Editor
Date
Date Issued
2024
Date Submitted
Keywords
content security policy
 third-party scripts
 web security
Collections
2024 - Mines Theses & Dissertations
Show all metadata
Files
Ren_mines_0052E_12849.pdf
Adobe PDF3.26 MB
Research Projects
Organizational Units
Journal Issue
URI
https://hdl.handle.net/11124/179266
Embargo Expires
2025-11-26
Abstract
Content Security Policy (CSP) is a standardized leading technique for protecting webpages against attacks such as Cross Site Scripting (XSS). As a powerful technique successfully adopted by all major web browsers, CSP provides web application developers with the capability to comprehensively define the policy regarding the permissible resources (e.g., scripts) and behaviors (e.g., form submissions) on each webpage. A CSP is composed of a set of directives, and each directive is typically composed of a directive name with a set of directive values. To effectively protect a webpage, a CSP should be carefully designed according to resources and behaviors on the protected webpage. However, it is often hard to properly deploy CSPs on webpages, and the deployed CSPs often contain security issues or errors. Therefore, helping developers properly deploy CSPs on their websites is important to the enhancement of web security. This dissertation concentrates on promoting the proper deployment of CSPs by investigating the protection capability of deployed CSPs, analyzing CSP deployment issues, and exploring the feasibility of adopting secure CSP solutions on websites. We first investigated the security levels of the deployed CSPs from the directive coverage and secure use perspectives by taking an unsupervised clustering approach which can automatically categorize very diverse and complex CSPs. Next, we focused on investigating CSP deployment issues related to third-party scripts (i.e., JavaScript code or script files) among different websites by conducting a measurement study. We analyzed the usage of third-party scripts on websites based on the collected CSP violations triggered by the accesses of resources used on websites under our inserted CSP. Furthermore, we evaluated the feasibility of taking Google's secure CSP approach on websites. The evaluation is based on CSP violations that are triggered under the four inserted CSPs of the secure CSP approach. A large-scale web measurement usually relies on a crawler. We also studied two browser-based crawler implementation approaches in the context of the Google Chrome browser and further built a Google Chrome extension named WebMea as a baseline Google Chrome extension that can measure multiple types of web data.
Associated Publications
Rights
Copyright of the original work is retained by the author.
Embedded videos