Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
Semantics-based analysis of content security policy deployment
Calzavara S., Rabitti A., Bugliesi M. ACM Transactions on the Web12 (2):1-36,2018.Type:Article
Date Reviewed: Jul 11 2018

Security is one of the biggest concerns in digital societies. Without reasonable levels of security, people will never really embrace the use of technology for tasks that they consider sensitive or risky. Only with a reasonable guarantee of security will users have confidence in a technology.

The web offers many services. Web applications offer friendly interfaces for end users that make them a very interesting means of interaction, such as for enterprises and their clients. However, website security is compromised by content injection. Content Security Policy (CSP) is a World Wide Web Consortium (W3C) standard that provides guidelines to prevent and mitigate the effects of this type of attack.

Calzavara et al. analyze the use and effectiveness of CSP as a security mechanism for websites against these attacks. The analysis covers four key aspects: (1) browser support, (2) website adoption, (3) correct configuration, and (4) constant maintenance. Their approach introduces a formal semantics to represent the contents of CSP, and then uses this semantics to formalize and reason about the support of each of these four aspects. For each, the methodology followed in the experimental study is presented, with experimental results on more than 16000 websites.

The paper includes a brief introduction to CSP--enough to understand its main issues and thus the presented study. A formal analysis of the standard follows, including syntax and semantics, and formal reasoning on CSP policies. After this formalization is applied to the standard, the authors present their methodology to test each of the four aspects under study in a formal manner, and comment on the results obtained. The main weaknesses for each aspect are then listed and characterized. Therefore, the authors identify the main issues that need work in order to improve CSP support. They first suggest working on better exploiting the reporting facilities of CSP. Second, they claim that more research is needed on issues related to CSP design.

This paper presents solid research. The use of formal semantics makes it appropriate for researchers, that is, readers with a solid background in formal languages and logic. This is not a wide audience, but this type of work is absolutely necessary to consolidate the advances in such an important area as security.

Reviewer:  Mercedes Martínez González Review #: CR146139 (1811-0608)
Bookmark and Share
 
Security (K.4.4 ... )
 
 
Semantics (D.3.1 ... )
 
 
World Wide Web (WWW) (H.3.4 ... )
 
Would you recommend this review?
yes
no
Other reviews under "Security": Date
Security fundamentals for e-commerce
Hassler V., Artech House, Inc., Norwood, MA, 2000.  409, Type: Book (9781580531085)
May 20 2002
Building firm trust online
Schoder D., Yin P. Communications of the ACM 43(12): 73-79, 2000. Type: Article
Oct 1 2001
Electronic commerce relationships: trust by design
Keen P., Ballance G., Chan S., Schrump S., Prentice Hall PTR, Upper Saddle River, NJ, 2000.  249, Type: Book (9780130170378)
Feb 1 2000
more...

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use
| Privacy Policy