AutoCSP: Automatically retrofitting CSP to web applications

Mattia Fazzini, Prateek Saxena, Alessandro Orso

Research output: Chapter in Book/Report/Conference proceedingConference contribution

15 Scopus citations


Web applications often handle sensitive user data, which makes them attractive targets for attacks such as crosssite scripting (XSS). Content security policy (CSP) is a contentrestriction mechanism, now supported by all major browsers, that offers thorough protection against XSS. Unfortunately, simply enabling CSP for a web application would affect the application's behavior and likely disrupt its functionality. To address this issue, we propose AUTOCSP, an automated technique for retrofitting CSP to web applications. AUTOCSP (1) leverages dynamic taint analysis to identify which content should be allowed to load on the dynamically-generated HTML pages of a web application and (2) automatically modifies the serverside code to generate such pages with the right permissions. Our evaluation, performed on a set of real-world web applications, shows that AUTOCSP can retrofit CSP effectively and efficiently.

Original languageEnglish (US)
Title of host publicationProceedings - 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, ICSE 2015
PublisherIEEE Computer Society
Number of pages11
ISBN (Electronic)9781479919345
StatePublished - Aug 12 2015
Externally publishedYes
Event37th IEEE/ACM International Conference on Software Engineering, ICSE 2015 - Florence, Italy
Duration: May 16 2015May 24 2015

Publication series

NameProceedings - International Conference on Software Engineering
ISSN (Print)0270-5257


Other37th IEEE/ACM International Conference on Software Engineering, ICSE 2015

Fingerprint Dive into the research topics of 'AutoCSP: Automatically retrofitting CSP to web applications'. Together they form a unique fingerprint.

Cite this