Google Releases Tools to Improve CSP Protection for Web Apps

Google is releasing a pair of new tools to help developers create and implement safer content security policies to protect against cross-site scripting vulnerabilities in their web applications. And the company also is adding CSP adoption efforts to its bug bounty program.

Content security policy is a method that enables developers to specify which scripts can run on a page, which can defeat XSS attacks. Attackers use XSS in inject malicious scripts into web apps and target users with exploits. CSP is meant to help prevent these attacks by restricting some scripts from running, but it can be circumvented in a number of ways and also can be implemented poorly, allowing attacks to succeed. Google performed a large study of CSP implementations and found that 95 percent of the policies were not effective at preventing XSS attacks.

So the company has developed a tool called CSP Evaluator that can help developers see how a given policy would affect a web application. Google also has been working on ways to protect apps when normal CSP policies are bypassed and has implemented a system known as nonce-based CSP in some of its larger apps.

“To help developers craft policies which meaningfully protect their applications, today we’re releasing the CSP Evaluator, a tool to visualize the effect of setting a policy and detect subtle misconfigurations. CSP Evaluator is used by security engineers and developers at Google to make sure policies provide a meaningful security benefit and cannot be subverted by attackers,” Artur Janc, Michele Spagnuolo, Lukas Weichselbaum, and David Ross of Google’s security engineering team said in a post.

“Even with such a helpful tool, building a safe script whitelist for a complex application is often all but impossible due to the number of popular domains with resources that allow CSP to be bypassed. Here’s where the idea of a nonce-based CSP policy comes in. Instead of whitelisting all allowed script locations, it’s often simpler to modify the application to prove that a script is trusted by the developer by giving it a nonce — an unpredictable, single-use token which has to match a value set in the policy.”

Along with the Evaluator tool, Google also released a tool called CSP Mitigator, an extension for Chrome that can help a developer check an app to see if it works with nonce-based CSP.

“The extension can be enabled for any URL prefix and will collect data about any programming patterns that need to be refactored to support CSP. This includes identifying scripts which do not have the correct nonce attribute, detecting inline event handlers, javascript: URIs, and several other more subtle patterns which might need attention,” the Google engineers said.

Google also is adding CSP adoption efforts to its bug bounty program, and will reward those who make popular web frameworks compatible with nonce-based CSP.