On the Content Security Policy Violations due to the Same-Origin Policy
This addresses security vulnerabilities for web developers and users, but it is incremental as it focuses on a specific conflict between existing policies.
The paper tackles the problem of Content Security Policy (CSP) violations caused by the Same-Origin Policy (SOP) in web browsers, finding that at least 31.1% of CSP-enabled pages are potentially vulnerable and 23.5% of cases allow violations in same-origin nested contexts.
Modern browsers implement different security policies such as the Content Security Policy (CSP), a mechanism designed to mitigate popular web vulnerabilities, and the Same Origin Policy (SOP), a mechanism that governs interactions between resources of web pages. In this work, we describe how CSP may be violated due to the SOP when a page contains an embedded iframe from the same origin. We analyse 1 million pages from 10,000 top Alexa sites and report that at least 31.1% of current CSP-enabled pages are potentially vulnerable to CSP violations. Further considering real-world situations where those pages are involved in same-origin nested browsing contexts, we found that in at least 23.5% of the cases, CSP violations are possible. During our study, we also identified a divergence among browsers implementations in the enforcement of CSP in srcdoc sandboxed iframes, which actually reveals a problem in Gecko-based browsers CSP implementation. To ameliorate the problematic conflicts of the security mechanisms, we discuss measures to avoid CSP violations.