Overview
This page provides supplemental materials for our study on fallback behaviors in Content Security Policy (CSP). The following resources are available:
- A dataset of real-world CSP deployments and tools for analyzing and reconstructing fallback behavior. Access repository.
- Proof-of-concept attacks that demonstrate how fallback behavior can lead to privilege escalation. For demonstration purposes only, we have deployed our attacks under the same hosting origin, and each third-party is deployed in a separate subdomain.
Attack Demonstrations
1. SOP Bypass
Third-party iframe inject first-party iframes bypassing Same Origin Policy. No dedicated directive control inline iframes, and overly permissive default-src fallback allows this behavior.
2. Cookie Exfiltration
When img-src is not specified, image requests fall back to default-src. If default-src is permissive, it enables third-party image loads, that bypass connect-src restrictions and conduct third-party tracking through cookies.
3. Multiple Fallbacks
When multiple directives—such as script-src, frame-src, and media-src—are missing, they all fall back to default-src.
As a result, a broad default-src permits any domain to inject any type of resource, affecting the website's access control and integrity.