Coverage and Secure Use Analysis of Content Security Policies via Clustering.

Content Security Policy (CSP) is a standardized leading technique for protecting webpages against attacks such as Cross Site Scripting (XSS). However, it is often hard to properly deploy CSPs on webpages, and the deployed CSPs often contain security issues or errors. In this paper, we take the unsupervised clustering approach to analyze the security levels of the deployed CSPs from the directive coverage and secure use perspectives. To effectively protect a webpage, a deployed CSP should cover all types of resources needed on the webpage by using different directive names (or some default directive names if available), and should avoid using unsafe directive values which will allow harmful resources to be loaded into a webpage. We implemented a Google Chrome extension, designed policy features, designed a Contrastive Spectral Clustering (CSC) algorithm, and visited the Alexa top 100K websites to analyze the CSPs deployed on them. From the 13,317 homepages that deployed CSPs under the enforcement mode, we categorized their policies into 16 clusters with different characteristics. We found that 15 clusters are at the low level on the coverage and five clusters are at the low level on the secure use of directives; meanwhile, no cluster is at the high level on the coverage of directives, and nine clusters are at the high level on the secure use of directives. These results indicate that most deployed CSPs do not sufficiently protect webpages, and more importantly, clustering helps identify the corresponding common or different reasons from the directive coverage and secure use perspectives. In addition, by analyzing 110,718 subpages of the 13,317 CSP-deployed homepages, we found that most of them deployed the same CSP as in their homepages. Overall, our approach and results can be helpful for promoting the proper deployment of CSPs.