CSPAutoGen: Black-box Enforcement of Content Security Policy upon Real-world Websites

Content security policy (CSP) which has been standardized by W3C and adopted by all major commercial browsers-is one of the most promising approaches for defending against cross-site scripting (XSS) attacks. Although client-side adoption of CSP is successful, server-side adoption is far behind the client side: according to a large-scale survey, less than 0.002% of Alexa Top 1M websites enabled CSP. To facilitate the adoption of CSP, we propose CSPAutoGen to enable CSP in real-time, without server modifications, and being compatible with real-world websites. Specifically, CSPAutoGen trains so-called templates for each domain, generates CSPs based on the templates, rewrites incoming webpages on the fly to apply those generated CSPs, and then serves those rewritten webpages to client browsers. CSPAutoGen is designed to automatically enforce the most secure and strict version of CSP without enabling "unsafe-inline" and "unsafe-eval", i.e., CSPAutoGen can handle all the inline and dynamic scripts. We have implemented a prototype of CSPAutoGen, and our evaluation shows that CSPAutoGen can correctly render all the Alexa Top 50 websites. Moreover, we conduct extensive case studies on five popular websites, indicating that CSPAutoGen can preserve the behind-the-login functionalities, such as sending emails and posting comments. Our security analysis shows that CSPAutoGen is able to defend against all the tested real-world XSS attacks.