{"id":"https://openalex.org/W2510134782","doi":"https://doi.org/10.1145/2976749.2978363","title":"CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy","display_name":"CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy","publication_year":2016,"publication_date":"2016-10-24","ids":{"openalex":"https://openalex.org/W2510134782","doi":"https://doi.org/10.1145/2976749.2978363","mag":"2510134782"},"language":"en","primary_location":{"id":"doi:10.1145/2976749.2978363","is_oa":true,"landing_page_url":"https://doi.org/10.1145/2976749.2978363","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/2976749.2978363","source":null,"license":"cc-by-nc-sa","license_id":"https://openalex.org/licenses/cc-by-nc-sa","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://dl.acm.org/doi/pdf/10.1145/2976749.2978363","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5037626066","display_name":"Lukas Weichselbaum","orcid":null},"institutions":[{"id":"https://openalex.org/I4210100430","display_name":"Google (Switzerland)","ror":"https://ror.org/014f9c269","country_code":"CH","type":"company","lineage":["https://openalex.org/I1291425158","https://openalex.org/I4210100430","https://openalex.org/I4210128969"]}],"countries":["CH"],"is_corresponding":true,"raw_author_name":"Lukas Weichselbaum","raw_affiliation_strings":["Google, Z\u00fcrich, Switzerland"],"affiliations":[{"raw_affiliation_string":"Google, Z\u00fcrich, Switzerland","institution_ids":["https://openalex.org/I4210100430"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5025256132","display_name":"Michele Spagnuolo","orcid":null},"institutions":[{"id":"https://openalex.org/I4210100430","display_name":"Google (Switzerland)","ror":"https://ror.org/014f9c269","country_code":"CH","type":"company","lineage":["https://openalex.org/I1291425158","https://openalex.org/I4210100430","https://openalex.org/I4210128969"]}],"countries":["CH"],"is_corresponding":false,"raw_author_name":"Michele Spagnuolo","raw_affiliation_strings":["Google, Z\u00fcrich, Switzerland"],"affiliations":[{"raw_affiliation_string":"Google, Z\u00fcrich, Switzerland","institution_ids":["https://openalex.org/I4210100430"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5080377300","display_name":"Sebastian Lekies","orcid":null},"institutions":[{"id":"https://openalex.org/I4210100430","display_name":"Google (Switzerland)","ror":"https://ror.org/014f9c269","country_code":"CH","type":"company","lineage":["https://openalex.org/I1291425158","https://openalex.org/I4210100430","https://openalex.org/I4210128969"]}],"countries":["CH"],"is_corresponding":false,"raw_author_name":"Sebastian Lekies","raw_affiliation_strings":["Google, Z\u00fcrich, Switzerland"],"affiliations":[{"raw_affiliation_string":"Google, Z\u00fcrich, Switzerland","institution_ids":["https://openalex.org/I4210100430"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5044723728","display_name":"Artur Janc","orcid":null},"institutions":[{"id":"https://openalex.org/I4210100430","display_name":"Google (Switzerland)","ror":"https://ror.org/014f9c269","country_code":"CH","type":"company","lineage":["https://openalex.org/I1291425158","https://openalex.org/I4210100430","https://openalex.org/I4210128969"]}],"countries":["CH"],"is_corresponding":false,"raw_author_name":"Artur Janc","raw_affiliation_strings":["Google, Z\u00fcrich, Switzerland"],"affiliations":[{"raw_affiliation_string":"Google, Z\u00fcrich, Switzerland","institution_ids":["https://openalex.org/I4210100430"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5037626066"],"corresponding_institution_ids":["https://openalex.org/I4210100430"],"apc_list":null,"apc_paid":null,"fwci":23.5679,"has_fulltext":true,"cited_by_count":91,"citation_normalized_percentile":{"value":0.99397436,"is_in_top_1_percent":true,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":97,"max":100},"biblio":{"volume":null,"issue":null,"first_page":"1376","last_page":"1387"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.982200026512146,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.9668999910354614,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/cross-site-scripting","display_name":"Cross-site scripting","score":0.95576012134552},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7828606367111206},{"id":"https://openalex.org/keywords/cryptographic-nonce","display_name":"Cryptographic nonce","score":0.7601737380027771},{"id":"https://openalex.org/keywords/scripting-language","display_name":"Scripting language","score":0.7309085726737976},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.6332319974899292},{"id":"https://openalex.org/keywords/security-policy","display_name":"Security policy","score":0.5199214816093445},{"id":"https://openalex.org/keywords/the-internet","display_name":"The Internet","score":0.4935859441757202},{"id":"https://openalex.org/keywords/reuse","display_name":"Reuse","score":0.4738267660140991},{"id":"https://openalex.org/keywords/dynamic-web-page","display_name":"Dynamic web page","score":0.467495322227478},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.46206578612327576},{"id":"https://openalex.org/keywords/web-application-security","display_name":"Web application security","score":0.460396945476532},{"id":"https://openalex.org/keywords/threat-model","display_name":"Threat model","score":0.4525328576564789},{"id":"https://openalex.org/keywords/internet-security","display_name":"Internet security","score":0.41655489802360535},{"id":"https://openalex.org/keywords/web-application","display_name":"Web application","score":0.4117177724838257},{"id":"https://openalex.org/keywords/information-security","display_name":"Information security","score":0.22233453392982483},{"id":"https://openalex.org/keywords/web-page","display_name":"Web page","score":0.19181716442108154},{"id":"https://openalex.org/keywords/security-service","display_name":"Security service","score":0.1539210081100464},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.14000165462493896},{"id":"https://openalex.org/keywords/web-development","display_name":"Web development","score":0.1385997235774994}],"concepts":[{"id":"https://openalex.org/C39569185","wikidata":"https://www.wikidata.org/wiki/Q371199","display_name":"Cross-site scripting","level":5,"score":0.95576012134552},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7828606367111206},{"id":"https://openalex.org/C9996903","wikidata":"https://www.wikidata.org/wiki/Q1749235","display_name":"Cryptographic nonce","level":3,"score":0.7601737380027771},{"id":"https://openalex.org/C61423126","wikidata":"https://www.wikidata.org/wiki/Q187432","display_name":"Scripting language","level":2,"score":0.7309085726737976},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6332319974899292},{"id":"https://openalex.org/C154908896","wikidata":"https://www.wikidata.org/wiki/Q2167404","display_name":"Security policy","level":2,"score":0.5199214816093445},{"id":"https://openalex.org/C110875604","wikidata":"https://www.wikidata.org/wiki/Q75","display_name":"The Internet","level":2,"score":0.4935859441757202},{"id":"https://openalex.org/C206588197","wikidata":"https://www.wikidata.org/wiki/Q846574","display_name":"Reuse","level":2,"score":0.4738267660140991},{"id":"https://openalex.org/C100158260","wikidata":"https://www.wikidata.org/wiki/Q1650567","display_name":"Dynamic web page","level":3,"score":0.467495322227478},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.46206578612327576},{"id":"https://openalex.org/C59241245","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Web application security","level":4,"score":0.460396945476532},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.4525328576564789},{"id":"https://openalex.org/C22111027","wikidata":"https://www.wikidata.org/wiki/Q1070427","display_name":"Internet security","level":4,"score":0.41655489802360535},{"id":"https://openalex.org/C118643609","wikidata":"https://www.wikidata.org/wiki/Q189210","display_name":"Web application","level":2,"score":0.4117177724838257},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.22233453392982483},{"id":"https://openalex.org/C21959979","wikidata":"https://www.wikidata.org/wiki/Q36774","display_name":"Web page","level":2,"score":0.19181716442108154},{"id":"https://openalex.org/C29983905","wikidata":"https://www.wikidata.org/wiki/Q7445066","display_name":"Security service","level":3,"score":0.1539210081100464},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.14000165462493896},{"id":"https://openalex.org/C79373723","wikidata":"https://www.wikidata.org/wiki/Q386275","display_name":"Web development","level":3,"score":0.1385997235774994},{"id":"https://openalex.org/C86803240","wikidata":"https://www.wikidata.org/wiki/Q420","display_name":"Biology","level":0,"score":0.0},{"id":"https://openalex.org/C148730421","wikidata":"https://www.wikidata.org/wiki/Q141090","display_name":"Encryption","level":2,"score":0.0},{"id":"https://openalex.org/C18903297","wikidata":"https://www.wikidata.org/wiki/Q7150","display_name":"Ecology","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/2976749.2978363","is_oa":true,"landing_page_url":"https://doi.org/10.1145/2976749.2978363","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/2976749.2978363","source":null,"license":"cc-by-nc-sa","license_id":"https://openalex.org/licenses/cc-by-nc-sa","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.1145/2976749.2978363","is_oa":true,"landing_page_url":"https://doi.org/10.1145/2976749.2978363","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/2976749.2978363","source":null,"license":"cc-by-nc-sa","license_id":"https://openalex.org/licenses/cc-by-nc-sa","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","score":0.800000011920929,"id":"https://metadata.un.org/sdg/16"}],"awards":[],"funders":[],"has_content":{"pdf":true,"grobid_xml":true},"content_urls":{"pdf":"https://content.openalex.org/works/W2510134782.pdf","grobid_xml":"https://content.openalex.org/works/W2510134782.grobid-xml"},"referenced_works_count":24,"referenced_works":["https://openalex.org/W200873936","https://openalex.org/W1222699389","https://openalex.org/W1473921560","https://openalex.org/W1492437080","https://openalex.org/W1543478129","https://openalex.org/W1974977720","https://openalex.org/W1990421186","https://openalex.org/W1991074244","https://openalex.org/W2002447170","https://openalex.org/W2049214202","https://openalex.org/W2057718232","https://openalex.org/W2078238197","https://openalex.org/W2085925880","https://openalex.org/W2103262407","https://openalex.org/W2134646643","https://openalex.org/W2156978746","https://openalex.org/W2168563136","https://openalex.org/W2170920217","https://openalex.org/W2177614278","https://openalex.org/W2256200255","https://openalex.org/W2294676880","https://openalex.org/W2344312925","https://openalex.org/W2405282478","https://openalex.org/W6736631235"],"related_works":["https://openalex.org/W2510134782","https://openalex.org/W2059725703","https://openalex.org/W4234870697","https://openalex.org/W2187721372","https://openalex.org/W2800487524","https://openalex.org/W3022702682","https://openalex.org/W1990297896","https://openalex.org/W2735662051","https://openalex.org/W2095563685","https://openalex.org/W2804725586"],"abstract_inverted_index":{"Content":[0],"Security":[1],"Policy":[2],"is":[3],"a":[4,27,60,132,138,173,251,255],"web":[5,20,262],"platform":[6],"mechanism":[7],"designed":[8],"to":[9,92,137,149,185,198,227,261],"mitigate":[10],"cross-site":[11],"scripting":[12],"(XSS),":[13],"the":[14,31,74,88,96,100,129,145,160,222,228,232],"top":[15],"security":[16,130,152],"vulnerability":[17],"in":[18,41,46,48,147,254],"modern":[19],"applications.":[21],"In":[22,188],"this":[23],"paper,":[24],"we":[25,190,220],"take":[26],"closer":[28],"look":[29],"at":[30],"practical":[32],"benefits":[33],"of":[34,50,64,99,108,121,131,141,159,176,194,207,234],"adopting":[35],"CSP":[36,77,85,101,122,210],"and":[37,103,124,204,258],"identify":[38,117],"significant":[39],"flaws":[40],"real-world":[42],"deployments":[43,78],"that":[44,156,182,192,196,205,213,230],"result":[45,75],"bypasses":[47,123],"94.72%":[49],"all":[51],"distinct":[52,177],"policies.":[53,267],"We":[54,94,116,134,154,245],"base":[55],"our":[56,247],"Internet-wide":[57],"analysis":[58,107,140],"on":[59,79,113,144,237,242],"search":[61],"engine":[62],"corpus":[63],"approximately":[65],"100":[66],"billion":[67,72],"pages":[68],"from":[69],"over":[70],"1":[71],"hostnames;":[73],"covers":[76],"1,680,867":[80],"hosts":[81,208],"with":[82,209],"26,011":[83],"unique":[84],"policies":[86,142,178,195,212,235],"--":[87],"most":[89,163],"comprehensive":[90],"study":[91],"date.":[93],"introduce":[95],"security-relevant":[97],"aspects":[98],"specification":[102,229],"provide":[104,259],"an":[105,225],"in-depth":[106],"its":[109],"threat":[110],"model,":[111],"focusing":[112],"XSS":[114],"protections.":[115],"three":[118],"common":[119],"classes":[120],"explain":[125],"how":[126],"they":[127],"subvert":[128],"policy.":[133],"then":[135],"turn":[136],"quantitative":[139],"deployed":[143],"Internet":[146],"order":[148],"understand":[150],"their":[151,266],"benefits.":[153],"observe":[155],"14":[157],"out":[158],"15":[161],"domains":[162],"commonly":[164],"whitelisted":[165],"for":[166,264],"loading":[167],"scripts":[168],"contain":[169],"unsafe":[170],"endpoints;":[171],"as":[172],"consequence,":[174],"75.81%":[175],"use":[179,211],"script":[180,200],"whitelists":[181],"allow":[183],"attackers":[184],"bypass":[186],"CSP.":[187],"total,":[189],"find":[191],"94.68%":[193],"attempt":[197],"limit":[199],"execution":[201],"are":[202],"ineffective,":[203],"99.34%":[206],"offer":[214],"no":[215],"benefit":[216],"against":[217],"XSS.":[218],"Finally,":[219],"propose":[221],"\"strict-dynamic\"":[223],"keyword,":[224],"addition":[226],"facilitates":[231],"creation":[233],"based":[236],"cryptographic":[238],"nonces,":[239],"without":[240],"relying":[241],"domain":[243],"whitelists.":[244],"discuss":[246],"experience":[248],"deploying":[249],"such":[250],"nonce-based":[252],"policy":[253],"complex":[256],"application":[257],"guidance":[260],"authors":[263],"improving":[265]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":10},{"year":2024,"cited_by_count":8},{"year":2023,"cited_by_count":9},{"year":2022,"cited_by_count":4},{"year":2021,"cited_by_count":12},{"year":2020,"cited_by_count":13},{"year":2019,"cited_by_count":10},{"year":2018,"cited_by_count":15},{"year":2017,"cited_by_count":9}],"updated_date":"2026-03-25T14:56:36.534964","created_date":"2025-10-10T00:00:00"}