Script-templates for the Content Security Policy

Content Security Policies (CSPs) provide powerful means to mitigate most XSS exploits. However, CSP’s protection is incomplete. Insecure server-side JavaScript generation and attacker control over script-sources can lead to XSS conditions which cannot be mitigated by CSP. In this paper we propose PreparedJS, an extension to CSP which takes these weaknesses into account. Through the combination of a safe script templating mechanism with a light-weight script checksumming scheme, PreparedJS is able to fill the identified gaps in CSP’s protection capabilities.