Security Implications of Using Third-Party Resources in the World Wide Web

Modern web pages have nothing in common with the static connotation coming from the word "page" - it is a dynamic unique experience created by active content and executed within browser, just-in-time assembled from various resources hosted on many different domains. Active content increases attack surface naturally exposing users to many novel threats. A popular security advice has been to deploy active content blocker plugins like NoScript, unfortunately they are not capable to effectively stop the attacks. Content Security Policy (CSP) can be effective against these attacks, but we demonstrate how poor decisions made by website administrators or external resource hosters can render CSP ineffective. As a practical contribution, we have scanned Alexa Top Million web pages for insecure CSP configuration and conducted a follow up scan one year later to observe the changes. Initially only 2% of those web pages were observed to use CSP but in the follow-up the percentage more than doubled. We have found a substantial number of web pages with too loose CSP rules, about 5% of websites that have CSP still enable determined attacker to host malicious content on commercial external resources while fulfilling the CSP rule when exploiting Cross-Site Scripting vulnerability. We also provide a model for the problem domain, formalization of user and domain models, and preferred user security policy.