Which Sites have Content Security Policy to prevent XSS

pganti · May 20, 2015, 11:10pm

I was interested in looking at the leaderboard for the sites that enable content security policy which offers a certain protection from third party JS used to attack a first party site (like recent GitHub attack)

SELECT domain(url) as domainname, count(*) as num
FROM [httparchive:runs.latest_requests]
WHERE lower(respOtherHeaders) contains "content-security-policy" 
GROUP BY domainname 
ORDER BY num desc

which shows Twitter, Google and GitHub to be leaders (sadly expected to see more bigname properties also enable it…hint hint

cqueern · May 22, 2015, 2:56pm

Awesome work, @pganti! Here’s a similar query I did in the past.

http://bigqueri.es/t/how-many-resources-have-x-frame-options-strict-transport-security-or-content-security-policy-headers-for-web-app-security/155

Looks like there’s been some decent adoption since then.

BTW, much of the work getting CSP in place at twitter and github is the work of Neil (@ndm).

Topic		Replies	Views
How many resources have X Frame Options, Strict Transport Security, or Content Security Policy headers for web app security? Analysis	6	7062	November 16, 2017
Adoption of HTTP Security Headers on the Web Analysis	2	4964	April 2, 2018
3rd party content: Who is guarding the cache? Analysis	0	3555	February 27, 2014
What Percentage of Third Party Content is Cacheable? Analysis	0	1962	March 25, 2019
Chapter 8. Security 2019 Web Almanac	9	9108	May 13, 2021

Which Sites have Content Security Policy to prevent XSS

Related topics