Automating Content Security Policy Generation

Open Access
Author:
Verdol, Jil
Graduate Program:
Computer Science and Engineering
Degree:
Master of Science
Document Type:
Master Thesis
Date of Defense:
April 25, 2011
Committee Members:
  • Patrick Drew Mcdaniel, Thesis Advisor
Keywords:
  • web applications
  • web security
  • security policy
  • generation
Abstract:
Web applications lack control over the environment in which they execute. This lack of control leaves applications open to attacks such as Cross Site Scripting, data leaks and content injection. Content Security Policy, CSP, was proposed and implemented as a way for applications to specify restrictions on how clients use content. However elaborating and maintaining a security policy can be a slow and error-prone process, especially for large websites. In this paper we propose a system to automate the policy generation process, and study its performance with an analysis of websites. The generated CSPs restrict client-server information flows of an application, using validated historical data. We reach a 0.81% miss rate, with an average of 7 directives for a given website. We consider the case where one externally maintains a security policy for a website which does not provide its own yet.