CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy, by Google Research
Jared Sperli stashed this in security
Stashed in: The Web, Software!
To save this post, select a stash from drop-down menu or type in a new one:
Geez, from studying 100 billion pages from 1 billion domain names:
14 out of the 15 domains most commonly whitelisted for loading scripts contain unsafe endpoints; as a consequence, 75.81% of distinct policies use script whitelists that allow attackers to bypass CSP. In total, we find that 94.68% of policies that attempt to limit script execution are ineffective, and that 99.34% of hosts with CSP use policies that offer no benefit against XSS.
That looks like fun but on the other hand it seems kinda heavy to carry around.
It's actually a solution to both security and obesity.
Multitasking! :)
10:42 PM Sep 01 2016