Google Releases CSP Web Developer Tools To Combat XSS Cyber Attacks

Google has launched a tool to help web administrators cut out cross-site scripting (XSS) attacks, after it paid out more than $1.2 million to researchers reporting the threats across the past two years.

XSS attacks are one of the most common web app attacks and pose a threat as they allow malicious code to be injected into client-side scripts of web pages by bypassing the access controls such as same-origin policy designed to protect web applications.

Content security policy (CSP) is designed to curtail these threats by stepping in when bugs are detected and allow developers to restrict the scripts that can be executed so that in the event of a HTML infection malicious code cannot be loaded.

But in practice, the flexibility of CSP to allow for a multitude of policies means its easy for developers to set polices that appear to work but have no real security benefit.

“We analysed over one billion domains and found that 95 percent of deployed CSP policies are ineffective as a protection against XSS,” said Google’s Information Security team.

“One of the underlying reasons is that out of the 15 domains most commonly whitelisted by developers for loading external scripts as many as 14 expose patterns which allow attackers to bypass CSP protections.”

In XSS

The prevalent threat of XXS attacks prompted Google to release CSP Evaluator, a tool Google’s developers use to visualise the effect of setting a policy and detect misconfigurations in scripts.

“CSP Evaluator is used by security engineers and developers at Google to make sure policies provide a meaningful security benefit and cannot be subverted by attackers,” the Information Security team explained.

However, Google indicated it will take more than just the CSP Evaluator to make web apps immune to XSS attacks.

“Even with such a helpful tool, building a safe script whitelist for a complex application is often all but impossible due to the number of popular domains with resources that allow CSP to be bypassed,” the team explained.

“Here’s where the idea of a nonce-based CSP policy comes in. Instead of whitelisting all allowed script locations, it’s often simpler to modify the application to prove that a script is trusted by the developer by giving it a nonce — an unpredictable, single-use token which has to match a value set in the policy.”

To improve this uses of nonce-based CSP policy Google has also released its CSP Mitigator tool, a Chrome browser extension that helps developers review the impact of enabling nonce-based CSP, such as highlighting any compatibility errors it may throw up.

Hopefully these tools will help developers combat XSS attacks, as they have the nasty effect of putting users of popular domains at risk from hackers.

Are you a security pro? Try our quiz!

Roland Moore-Colyer

As News Editor of Silicon UK, Roland keeps a keen eye on the daily tech news coverage for the site, while also focusing on stories around cyber security, public sector IT, innovation, AI, and gadgets.

Recent Posts

US Widening AI Lead Over China, Finds Stanford Report

US widening lead over China on AI development, as UK places third in Stanford index…

13 mins ago

Amazon To Pump Another $4bn Into AI Start-Up Anthropic

Amazon to invest a further $4bn into AI start-up Anthropic, doubling its investment as it…

43 mins ago

The Cost of Tech Skills

The demand for tech skills is surging, driving economic growth but revealing challenges. Financial costs,…

1 hour ago

Supreme Court Says Meta Must Face Multibillion-Dollar Fraud Lawsuit

US Supreme Court tosses Meta's appeal over Cambridge Analytica-linked investor lawsuit, meaning case must proceed

1 hour ago

Uber Seeks $10m Stake In Pony AI Via IPO

Uber reportedly seeks $10m stake in Chinese autonomous driving firm Pony AI via US IPO,…

2 hours ago

Apple Developing ‘LLM Siri’ AI For 2026

iPhone maker reportedly developing next-generation AI large language model for Siri for spring 2026 as…

2 hours ago