Apple offers users greater defense against XSS and other vulnerabilities
Safari, the default browser for Apple devices, will soon employ a much-needed security feature to better protect against script-injection attacks.
According to a thread on the bug-tracking platform for WebKit, the browser engine that powers Safari, Apple’s developers have added support for strict Content Security Policy (CSP) to WebKit Nightly, the preview release of the engine.
Discussions concerning the addition of the strict CSP have been ongoing since 2018, the thread shows.
The technical detail
The original CSP specification was inflexible and limited, which forced developers to make compromises on the security of their web applications. Strict CSP, marked by the strict-dynamic directive, addresses these shortcomings.
“Without strict-dynamic, the CSP has to include a list of hosts where the page is allowed to load scripts from,” Dominic Couture, senior application security engineer at GitLab, told The Daily Swig.
“This is a tedious task and there are risks of CSP bypasses if the attacker is able to host scripts on one of the allow-listed hosts.”
Strict CSP uses an unpredictable random value called a ‘nonce’ that the web application safely generates on the server-side to validate the scripts used on the page.
The strict specification makes CSP more manageable for developers and XSS exploits more difficult for attackers.
“Strict CSP strikes the balance between security and flexibility for developers. Therefore, it should make CSP easier to deploy while maintaining security,” browser security engineer Jun Kokatsu told The Daily Swig.
Other major browsers such as Chrome, Firefox, and Edge have been supporting this feature for a long time. Safari’s lack of support for strict-dynamic has been a point of frustration for developers who wanted to secure their websites across all platforms.
“This is very significant for iOS users, where all browsers are forced to use Safari’s rendering engine (i.e. WebKit),” Kokatsu said.
“In many websites where they chose to deploy Strict CSP, all iOS users were getting fallback CSP mitigation which was basically to allow any scripts (due to Safari not supporting strict-dynamic).”
Couture added: “This new support for strict-dynamic will make CSP maintenance easier for engineers thanks to feature-parity across all the major browsers.
“With that said, the biggest impact is for Safari users, who will be more secure on the internet as they will benefit from the same security features as the users of other browsers.”