On the Content Security Policy Violations due to the Same-Origin Policy

Dolière Francis Some, Nataliia Bielova, Tamara Rezk
2017 Proceedings of the 26th International Conference on World Wide Web - WWW '17  
Modern browsers implement different security policies such as the Content Security Policy (CSP), a mechanism designed to mitigate popular web vulnerabilities, and the Same Origin Policy (SOP), a mechanism that governs interactions between resources of web pages. In this work, we describe how CSP may be violated due to the SOP when a page contains an embedded iframe from the same origin. We analyse 1 million pages from 10,000 top Alexa sites and report that at least 31.1% of current CSP-enabled
more » ... ages are potentially vulnerable to CSP violations. Further considering real-world situations where those pages are involved in same-origin nested browsing contexts, we found that in at least 23.5% of the cases, CSP violations are possible. During our study, we also identified a divergence among browsers implementations in the enforcement of CSP in srcdoc sandboxed iframes, which actually reveals a problem in Gecko-based browsers CSP implementation. To ameliorate the problematic conflicts of the security mechanisms, we discuss measures to avoid CSP violations.
doi:10.1145/3038912.3052634 dblp:conf/www/SomeBR17 fatcat:ofne4sltgrhcjgbwcqpeplmhla