Roadblocks for Content Security Policy (CSP) Implementation - Developer Challenges and Solutions

Explore the challenges and solutions surrounding Content Security Policy (CSP) implementation in this informative conference talk. Delve into the complexities of CSP as a crucial web security mechanism, examining its effectiveness in mitigating Cross-Site Scripting (XSS) attacks. Discover why many real-world CSP deployments are easily bypassable and understand the roadblocks developers face when implementing secure policies. Learn about the various factors hindering CSP adoption, including framework and browser support, plugins, error reports, and information sources. Gain insights from a developer survey and research findings on CSP deployment challenges. Explore actionable strategies for developing secure CSPs, addressing issues like inline code, third-party integrations, and legacy code. Understand how to start implementing CSP and methods for hardening existing policies. Engage with practical problem-solving approaches and best practices to enhance web application security through effective CSP implementation.

Intro
Quick Intro
Cross-Site Scripting (XSS)
Content Security Policy (CSP)
CSP Adoption over time
Script Content Control over time
Developer Survey
Research Questions
Methodology
Drawing Task
Motivations
Roadblock: Complexity
Roadblock: Information Sources
Roadblock: Legacy Code
Roadblocks: Different Teams
Inline Code / 3rd-Parties
3rd-Parties - maintenance effort
Roadblock: Browsers
Problem Solving: Inline Code
Problem Solving Strategies
Problem Solving: Inline Events
Problem Solving: Third Parties
How to start with CSP?
How to harden my CSP?
Conclusion