Back to the Roots: Finding the Origin of CSP Security Bugs

CSP (Content Security Policy) bugs often stem from foundational issues introduced when the feature was first implemented, with some vulnerabilities remaining undetected for up to 8 years

87% of bug reports identified fixing revisions, but only 6% identified the policies affected by the vulnerabilities

Centralization of enforcement logic significantly reduces oversight-related bypasses - Firefox’s centralized approach resulted in fewer bugs compared to Chromium’s initially fragmented implementation

Cross-browser bug sharing remains inadequate - many bugs affecting one browser were later discovered as regressions in other browsers, indicating poor vulnerability information sharing between vendors

Simple regression tests could have prevented many CSP bugs, particularly those related to policy inheritance and enforcement logic

Code changes to core CSP logic or inheritance-related features are most likely to introduce new vulnerabilities

Browser vendors often prematurely disclose bugs before fixes are complete or accidentally revert fixes without proper documentation

Bug handling inconsistencies lead to extended vulnerability exposure - Safari remained vulnerable to publicly disclosed bugs for over a year

Tests should be independent of policy delivery method (meta tag vs header) and comprehensive across different browser implementations

Automated testing and centralized, private bug reporting platforms could significantly improve vulnerability detection and resolution time