Usage of Content-Security-Policy report-uri

5 years ago

Stuart Larsen #article


Below is the analysis on the top alexa top 10,000 websites for their usage of content-security-policy report-uri.

We started this scanning because we were curious about the following questions:

How the data was collected?

For the Alexa top 10,000 domains, we tried https, and fellback to http if there was an error. We checked for both http headers and meta tag delivery. We followed any redirects to the final website. Both header/meta tags were allowed, and we unrolled multiple policies. (More info on using multiple policies). Most websites only use one policy, so when we say "30 websites did abc, we really mean 30 policies did abc"

How many of the top 10000 websites use content-security-policy?

1,221 (12%) of websites in the top 10,000 use content-security policy.

Figure 1: Number of Websites using CSP

How many of the websites use a report-uri?

Of the 1,221 websites of the top 10,000, 299 of them use a report-uri. (This value actually jumped up from 298 during the hour I was putting together this data).

Figure 2: Number of websites using report-uri

How many roll their own report-uri endpoint vs use a vender?

Only 38 of the websites use an external thirdparty report-uri collector. Most websites either didn't use report-uri or hosted the endpoint themselves (it's possible they're using an on-prem vendor, such as https://github.com/c0nrad/caspr), but it's hard to tell either way.

Figure 3: ReportURI endpoints

How many use multiple report-uri endpoints in a singe policy?

None of them. They all either use zero or one report-uri.

Figure 4: Number of report-uri's per policy

How many attempt to use a report-uri within a meta tag?

None of them. 99 websites use Content-Security-Policy delivered with meta tags. Most of it is for mixed-content.

Figure 5: Policies distributed by meta tag

Conclusion

That's it! If you have any more questions to ask of the data, please let me know! Happy to crunch it out. stuart@csper.io.

Subscribe for updates?

Stay up to date with the latest Content Security Policy news, product updates, discounts, and more!