Googleinfo-icon has released new tools and related documentation to help developers reduce the risk of XSS attacks using the Content Security Policy (CSP) standard. XSS-vulnerabilities continue to affect many web applications, including those developed by large companies.
In the past two years, Google paid experts 1.2 million dollars for detection of these vulnerabilities. One of the most effective ways to reduce the risk of XSS is CSP; it is a mechanism that allows developers to restrict the performance of certain scenarios. If the policies are configured properly, hackers will not be able to upload malicious scripts, even if they manage to introduce the HTML code into your web page. However, CSP is not able to completely eliminate the risk of XSS, even if everything is set up properly. A recent survey by Google Experts with the participation of more than 1 billion domains has shown that CSP policy can be circumvented in most cases. Google wants to help developers, which is why they have released CSP Evaluator. It helps to determine how properly CSP policies are configured. CSP Evaluator also exists in the form of Chrome extension. Despite the fact that this tool can be very useful, Google notes that for now, it is difficult to create a white list of safe scripts for complex applications. Google itself have used this approach in some of its applications, such as Cloud Console, History, Photos, Maps Timeline, Careers Search, and Cultural Institute. The company has also released another extension for Chrome – CSP Mitigator. Documentation describing the most effective strategies for CSP implementation is also available. In addition, Google has engaged experts on security issues for further research in the field of protection against XSS-attacks.