The Content Security Policy (CSP) is a powerful mechanism to prevent Cross Site Scripting (XSS) attacks which accounts for 84% of all security vulnerabilities in web sites. So you would think that such a magic bullet would be widely deployed and promoted.
Think again: CSP is implemented on less than 0.5% of web sites. Further, of those implementing sites, less than 3% are using CSP in the recommended manner that effectively mitigates Cross Site Scripting attacks. In fact, out of 21,823 sites surveyed, less than 0.02% of sites are effectively using CSP.
These are the results of a CSP survey to determine the level of CSP adoption in public web sites.
The CSP promise is to prevent Cross Site Scripting vulnerabilities by defining a set of approved sources from which a client browser can load content. This enables the browser to block the integration of unauthorized content. One of the browser’s primary defense mechanisms is the same origin policy, which stipulates that a web page may only download content (scripts, fonts, stylesheets, …) from the same origin as the enclosing web page. This creates a sand-box which isolates the web content and differentiates between valid authorized content and everything else. However, Cross Site Scripting bypasses this same origin policy by injecting malicious code into the original content. Unfortunately, it is all to easy for hackers to do.
The Content Security Policy remedies this vulnerability by defining a white list of of approved URLs from which to download content. This is implemented via a HTTP Content-Security-Policy header that the application emits in the web response with the original web page. The browser examines this while list and blocks accesses to all sites not on the white list.
To test the deployment of Content Security Policy by web sites, we sampled 21,823 different domains to measure the use of CSP. We measured the number of sites using CSP and how they were using it.
Of 21,823 sites surveyed, only 107 web sites, and only 53 domains were using a Content Security Policy header. This is less than 0.5% of surveyed web sites.
The effectiveness of CSP for a site is determined by the scope of the CSP header white list. The CSP standard permits the use of a bypass to permit inline and dynamic content. This is done via the unsafe-eval and unsafe-inline directives. If these are present in the CSP header, scripts from the designated sites may use inline styles and the eval() function. Use of these directives is strongly discouraged as it defeats one of the primary aims of CSP hardening.
Of the 21,823 sites surveyed, 107 web sites used CSP. Of these, 85 used the unsafe directives. Only 21 hosts had effective and recommended CSP directives.
This is not to say that CSP with unsafe directives is useless, but its efficacy is greatly reduced.
Web sites should actively move to use CSP to address the Cross Site Scripting threat. It is well supported in all modern browsers and works effectively when implemented correctly. Sites should avoid using unsafe CSP directives to get the full benefit of CSP.
Note that there are issues in relying on 3rd party code from social media sites like Faceboot, Google and Twitter. For more information, please read Content Security Policy - The Reality.