Content Security Policy - Lessons learned at Yahoo

Yahoo serves daily essentials such as mail, search, finance, sports, news and magazines to a large audience. While most of this content is created at Yahoo, there is content sourced from third parties for marketing, measurement and advertising purposes as well. As a result, protecting Yahoo users from content injection and malware injection attacks is vital and a big challenge due to a very large diverse audience. Furthermore, advertising being Yahoo's main source of revenue, ad injection poses a big security and business risk.

Content Security Policy (CSP) is a browser security mechanism against content injection. Using the CSP header, browsers can restrict content from just the domains whitelisted in the policy. Hence, we deployed CSP in report mode on Yahoo mail to analyze the impact of CSP to alleviate content injection; also on Yahoo search in enforced mode to evaluate the impact of CSP to eliminate ad injection. Based on our analysis, we found that CSP's capability is limited due to browser extensions and add-ons ability to override the policy and furthermore we found browser inconsistencies in evaluating CSP policy.

This talk will highlight to what degree CSP is helpful today in solving content and ad injection on websites based on our analysis and will introduce CSP testing tools - http://cspstester.io and phantonJS automation scripts. In addition, we share our recommendations to improve CSP for making it more useful to alleviate content and ad injection and discuss some improvements in CSP reporting side to make data analysis easier and more meaningful. Browser implementation inconsistencies including mobile is also highlighted as part of this session.

Presented by