CSP is Dead, Long Live CSP! - On the Insecurity of Whitelists and the Future of the Content Security Policy

Explore the evolution and challenges of Content Security Policy (CSP) in this 21-minute conference talk presented at CCS 2016. Delve into the research conducted by Google security experts Lukas Weichselbaum, Michele Spagnuolo, Sebastian Lekies, and Artur Janc as they examine the effectiveness of whitelists and the future of CSP. Learn about the current state of CSP implementation, bypass probabilities, and the implications of whitelisted domains. Gain insights into postprocessing techniques, normalization, and various CSP use cases. Discover the importance of tool support in enhancing CSP effectiveness and understand the broader implications for web security. This talk, delivered at the 23rd ACM Conference on Computer and Communications Security in Vienna, Austria, offers valuable perspectives for web developers, security professionals, and anyone interested in the evolving landscape of web application security.

Introduction
Who are we
What are we doing
Research questions
Postprocessing
Why
Normalization
CSP Use Cases
CSP Policies
Summary
State of CSP
Bypass Probability
Whitelisted Domains
Tool Support