Content Security Policy (CSP) is a recent W3C standard introduced to prevent and mitigate the impact of content injection vulnerabilities on websites. In this article, we introduce a formal semantics for the latest stable version of the standard, CSP Level 2. We then perform a systematic, large-scale analysis of the effectiveness of the current CSP deployment, using the formal semantics to substantiate our methodology and to assess the impact of the detected issues. We focus on four key aspects that affect the effectiveness of CSP: browser support, website adoption, correct configuration, and constant maintenance. Our analysis shows that browser support for CSP is largely satisfactory, with the exception of a few notable issues. However, there are several shortcomings relative to the other three aspects. CSP appears to have a rather limited deployment as yet and, more crucially, existing policies exhibit a number of weaknesses and misconfiguration errors. Moreover, content security policies are not regularly updated to ban insecure practices and remove unintended security violations. We argue that many of these problems can be fixed by better exploiting the monitoring facilities of CSP, while other issues deserve additional research, being more rooted into the CSP design.

中文翻译：

---

基于语义的内容安全策略部署分析

内容安全策略 (CSP) 是最近引入的 W3C 标准，用于防止和减轻内容注入漏洞对网站的影响。在本文中，我们介绍了标准的最新稳定版本 CSP Level 2 的形式语义。然后，我们对当前 CSP 部署的有效性进行了系统的、大规模的分析，使用形式语义来证实我们的方法和评估检测到的问题的影响。我们关注影响 CSP 有效性的四个关键方面：浏览器支持、网站采用、正确配置和持续维护。我们的分析表明，浏览器对 CSP 的支持在很大程度上令人满意，除了一些值得注意的问题。但是，相对于其他三个方面，存在一些缺点。CSP 的部署似乎还相当有限，更重要的是，现有策略显示出许多弱点和错误配置错误。此外，内容安全策略不会定期更新以禁止不安全的做法并消除意外的安全违规行为。我们认为，这些问题中的许多可以通过更好地利用 CSP 的监控设施来解决，而其他问题则值得进一步研究，更多地植根于 CSP 设计。