Towards Client-side HTML Security Policies

In Proc. of the Workshop on Hot Topics in Security (HotSec), 2011


With the proliferation of content rich web applications, content injection has become an increasing problem. Cross site scripting is the most prominent example of this. Many systems have been designed to mitigate content injection and cross site scripting. Notable examples are BEEP, BLUEPRINT, and Content Security Policy, which can be grouped as HTML security policies. We evaluate these systems, including the first empirical evaluation of Content Security Policy on real applications. We propose that HTML security policies should be the defense of choice in web applications going forward. We argue, however, that current systems are insufficient for the needs of web applications, and research needs to be done to determine the set of properties an HTML security policy system should have. We propose several ideas for research going forward in this area.