Content Security Policies are standardized, effective, and pretty simple in nature - so why aren't sites using them?
Content Security Policies are part of internet standards, supported by every web browser, and especially effective at defending against some common web-based security threats. But CSPs also complicate marketing tools and require attention from someone with cross-departmental expertise in web operations and security. As a result, most sites you visit don't have a properly configured Content Security Policy.
DEVCON's upcoming browser extension can detect a site's CSP and alert you if the policy is missing or misconfigured. You can sign up for our pre-release list here.
Let's Talk About CSPs
Don't worry if you've never heard of Content Security Policies. They're part of the invisible framework of web standards that your browser uses to communicate with web servers that host sites - but the technology surrounding them is pretty simple.
Web pages don't always call just one server - in fact, websites that load code from only one place are scarce. So you can think of a webpage as a party - there's a host, and they've invited code from other servers to join the fun. But just like actual party-goers, that external code can start to cause problems if it invites guests, those guests invite guests, and so on.
So a CSP is like a bouncer for a website's party. Site owners create a list of places (web servers) that acceptable guests (scripts, code libraries, etc.) can originate. If something arrives from somewhere that's not on the list, the CSP does not allow it to run in the browser.
The functionality is relatively simple - but it's not the technology that keeps sites from putting these policies in place.
99 Problems (But the Site Ain't One)
Organizations big and small and across industries struggle with a surprisingly thorny problem - their websites exist in a gray area for security. It's not because security teams are ignorant of the problem or lazy about solving it - website security tends to spread across departments and require a lot of decision-making. Security teams focus on safeguarding the code they own and protecting the organization's internal users. When the web operations or online marketing teams suggest using a third-party tool, the security crew relies on outside auditing and business agreements. As a result, many webpages use code that isn't controlled or even fully vetted by an internal security expert.
Consider an online shop - only the most prominent retailers have invested in writing their own code for shopping carts and checkouts. The "store" link on your favorite sports team's website, for example, probably uses scripts from some other server. Security teams could put this server address in a CSP, but what if it changes? Or if the need arises to add something from another source? This kind of coordination can be a challenge in large organizations with robust operations - it's all but impossible to maintain in smaller groups. CSP management is just one small part of a complicated mess when it comes to site security, and as a result, it usually gets ignored.
So with shopping carts, chatbots, visual libraries, and other "static" tools, CSPs would work well if there were operations in place to support them. But advertising and marketing tools present new challenges.
It's All About the Digital Benjamins
Most websites run on some form of advertising. Whether they advertise directly to their audience or use online marketing to drive people to their products or services, the digital marketing ecosystem is critical to the web, with very few exceptions.
The nature of online advertising tools makes it difficult to enforce effective Content Security Policies. Another part of the invisible framework that runs behind webpages is a giant, sometimes chaotic marketplace for ad views and page space - transactions complete in milliseconds for 24 hours each day. When a digital ad broker wins a bid for a bit of ad space, they don't send a picture for the site to load - they send an address for their set of scripts, images, and tools that load in its place. That address would have to be pre-cleared in a CSP for the advertising to work properly. Sites could be very selective and only allow ads from certain places, but fewer buyers mean less ad revenue. Advertising networks and exchanges allow for a huge pool of buyers to access the inventory sites have to offer - but it comes with the uncertainty of knowing exactly whose scripts will end up on your page, and exactly where they started.
Many webpages with advertising content can't be easily governed with a CSP - and without significant changes to online revenue models, most sites can't afford to put the security protocols in place.
You Have to Regulate
Despite all this, the Content Security Policy framework is still valuable - it's vital to have standards in place that address security. Unfortunately, until protecting users becomes as business-critical as selling them things, server-side security measures are limited in their effectiveness.
DEVCON focuses on client-side security - scripts and tools that load with pages and in your browser - to monitor all the scripts and libraries and advertisements that load from all over the web. Our upcoming browser extension will look for a site's CSP and alert you if it's missing or misconfigured. It also blocks malicious advertising, replaces out-of-date code with the freshest version, and helps maintain your online privacy.
It's free and will be available in Chrome in just a few weeks - sign up here to be the first to have it in your browser!