Apple Safari empowers developers to mitigate web flaws with WebKit CSP enhancements

Reading Time: 3 minutes


Emma Woollacott

18 March 2022 at 11:53 UTC

Updated: 18 March 2022 at 14:30 UTC

Apple praised for changes that ‘allow developers to build safe web applications’

Apple Safari empowers developers to mitigate web vulnerabilities with WebKit CSP enhancements

Apple has added a raft of new features to WebKit, including improved support for Content Security Policy (CSP) Level 3, with the latest release of Safari version 15.4.

This, say the developers, gives enhanced security control over the loading of content, and helps web developers to mitigate the risks of cross-site scripting (XSS) and other vulnerabilities.

Blocked resource violation reporting for inline script, inline style, and eval execution has been updated to match web standards too.

And there’s new support for ‘strict-dynamic’, making it easier to deploy a strict CSP based on CSP nonces or hashes.

Mitigating XSS

“This is critical for developers who want to mitigate XSS, one of the most prominent web vulnerabilities, using a CSP based on nonces or hashes instead of an allowlist-based CSP, which our research has shown can be trivially bypassed in more than 90% of cases when it comes to XSS mitigation,” Google information security engineer Lukas Weichselbaum tells The Daily Swig.

“Google is protecting over 80% of its sensitive web traffic with a strict nonce-based CSP, and has mitigated a large number of XSS vulnerabilities this way. Now we can also protect our users on Safari and iOS where all browsers are using WebKit as a rendering engine.”

RECOMMENDED AirTag clone bypassed Apple’s tracking-protection features, claims researcher

Meanwhile, there’s also support for ‘unsafe-hashes’, allowing inline event handlers to be hashed in the same way as CSP hashes allow hashing of inline scripts.

And support for ‘report-sample’ enables sending short samples of code that violates the CSP – in particular for inline scripts and inline event handlers.

“This is essential to tie back a report to its root cause and to differentiate unactionable reports triggered by browser extensions, malware, et cetera,” says Weichselbaum.

With the new release, developers can also safely include external JavaScript in their pages using new support for hash source expressions.

And finally, support has been removed for the XSS Auditor, which, say the developers, has been superseded by modern cross-origin defenses like CSP and COEP.

‘Security by design’

John Goodacre, director of Digital Security by Design, a UK government-backed initiative, and professor of computer architectures at the University of Manchester, says it remains to be seen, though, whether developers will make the extra effort to use the new features.

“A growing trend, however, is to somewhat relieve developers of such effort by creating technologies which deliver increased security by design,” he tells The Daily Swig.

Read more of the latest Apple security news

“This could include, for example, development tools and frameworks that automatically implement CSP, or, as being investigated within the UKRI Digital Security by Design programme, where WebKit itself is implemented using secure by design approaches.”

Apple was late to the game with support for CSP, including it only last October – long after other major browsers such as Chrome, Firefox, and Edge.

“It is great to see that Apple is prioritising web platform security features that allow developers to build safe web applications,” says Weichselbaum.

“I’d be thrilled to see an ongoing investment in this area and, for example, would hope that WebKit will also support Trusted Types in the near future. Trusted Types is already available in Chrome and has allowed us to significantly reduce the amount of DOM-based XSS – one of the most common variants of XSS – in sensitive Google applications.”

READ MORE Google checks rise of DOM XSS with Trusted Types

Categories

Related Posts