FlexCSP - Putting Content Security Policy to work for Practical Web Applications
Cross-site scripting (XSS) vulnerabilities are among the most prevailing problems on the web. Among the practically deployed countermeasures is the "last line of defense" Content Security Policy (CSP) to mitigate the effects of XSS attacks by browser-enforced restrictions on cross-domain communications. Although pioneered in deployment by major players such as Google, Facebook, and Tweeter, the adoption of CSP has been frustratingly slow, with several roadblocks related to CSP's rigidness. To fulfill the promise of CSP, we propose FlexCSP, an approach to make CSP more flexible and thus more practical for deployment in practical web applications. We will achieve this by exploring the trade-off between performance and security, investigating possibilities of fine-grained CSP, and CSP for sandboxing.
Andrei Sabelfeld (kontakt)
Professor vid Chalmers, Data- och informationsteknik, Informationssäkerhet
Google Ireland Ltd
Finansierar Chalmers deltagande under 2016
Relaterade styrkeområden och infrastruktur
Informations- och kommunikationsteknik