Abstract:
Cross Site Scripting (XSS) is a widespread web vulnerability that allows an attacker to inject code in a web page, fully compromising it. Content- Security-Policy (CSP) is a security mechanism that limits the effects of XSS attacks. However it is hard to configure and, for this reason, it is not widely adopted. For the same reason, many real policies in the wild are misconfigured.
In this thesis we present a Chrome extension for semi-automatically generating and enforcing CSP while navigating the web. We analyze the generated policies to see if the extension does not break the navigation while enforcing the security of users surfing the Web. The extension is useful both for end users and for developers, since it is able to build a policy that can be permanently included in a new website.
