Apple praised for changes that ‘allow developers to build safe web applications’
Blocked resource violation reporting for inline script, inline style, and eval execution has been updated to match web standards too.
And there's new support for ‘strict-dynamic’, making it easier to deploy a strict CSP based on CSP nonces or hashes.
“This is critical for developers who want to mitigate XSS, one of the most prominent web vulnerabilities, using a CSP based on nonces or hashes instead of an allowlist-based CSP, which our research has shown can be trivially bypassed in more than 90% of cases when it comes to XSS mitigation,” Google information security engineer Lukas Weichselbaum tells The Daily Swig.
“Google is protecting over 80% of its sensitive web traffic with a strict nonce-based CSP, and has mitigated a large number of XSS vulnerabilities this way. Now we can also protect our users on Safari and iOS where all browsers are using WebKit as a rendering engine.”
Meanwhile, there’s also support for ‘unsafe-hashes’, allowing inline event handlers to be hashed in the same way as CSP hashes allow hashing of inline scripts.
And support for ‘report-sample’ enables sending short samples of code that violates the CSP – in particular for inline scripts and inline event handlers.
“This is essential to tie back a report to its root cause and to differentiate unactionable reports triggered by browser extensions, malware, et cetera,” says Weichselbaum.
And finally, support has been removed for the XSS Auditor, which, say the developers, has been superseded by modern cross-origin defenses like CSP and COEP.
‘Security by design’
John Goodacre, director of Digital Security by Design, a UK government-backed initiative, and professor of computer architectures at the University of Manchester, says it remains to be seen, though, whether developers will make the extra effort to use the new features.
“A growing trend, however, is to somewhat relieve developers of such effort by creating technologies which deliver increased security by design,” he tells The Daily Swig.
“This could include, for example, development tools and frameworks that automatically implement CSP, or, as being investigated within the UKRI Digital Security by Design programme, where WebKit itself is implemented using secure by design approaches.”
Apple was late to the game with support for CSP, including it only last October – long after other major browsers such as Chrome, Firefox, and Edge.
“It is great to see that Apple is prioritising web platform security features that allow developers to build safe web applications,” says Weichselbaum.
“I’d be thrilled to see an ongoing investment in this area and, for example, would hope that WebKit will also support Trusted Types in the near future. Trusted Types is already available in Chrome and has allowed us to significantly reduce the amount of DOM-based XSS – one of the most common variants of XSS – in sensitive Google applications.”