{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,1]],"date-time":"2025-10-01T15:44:02Z","timestamp":1759333442629,"version":"build-2065373602"},"publisher-location":"Cham","reference-count":49,"publisher":"Springer Nature Switzerland","isbn-type":[{"type":"print","value":"9783031944543"},{"type":"electronic","value":"9783031944550"}],"license":[{"start":{"date-parts":[[2025,9,5]],"date-time":"2025-09-05T00:00:00Z","timestamp":1757030400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2025,9,5]],"date-time":"2025-09-05T00:00:00Z","timestamp":1757030400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2026]]},"DOI":"10.1007\/978-3-031-94455-0_15","type":"book-chapter","created":{"date-parts":[[2025,9,4]],"date-time":"2025-09-04T09:23:29Z","timestamp":1756977809000},"page":"320-346","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["EasyCSPeasy: A Server-Side and\u00a0Language-Agnostic XSS Mitigation by\u00a0Devising and\u00a0Ensuring Compliance with\u00a0CSP"],"prefix":"10.1007","author":[{"given":"Beliz","family":"Kaleli","sequence":"first","affiliation":[]},{"given":"Manuel","family":"Egele","sequence":"additional","affiliation":[]},{"given":"Gianluca","family":"Stringhini","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,9,5]]},"reference":[{"key":"15_CR1","unstructured":"A Research-Oriented Top Sites Ranking Hardened Against Manipulation. https:\/\/tranco-list.eu\/"},{"key":"15_CR2","unstructured":"Abstract Syntax Trees. https:\/\/docs.python.org\/3\/library\/ast.html"},{"key":"15_CR3","unstructured":"Burp Scanner. https:\/\/portswigger.net\/burp\/vulnerability-scanner"},{"key":"15_CR4","unstructured":"C4software\/python-sitemap: Mini website crawler to make sitemap from a website. https:\/\/github.com\/c4software\/python-sitemap"},{"key":"15_CR5","unstructured":"Content-Security-Policy. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/Content-Security-Policy"},{"key":"15_CR6","unstructured":"Content security policy level 3. https:\/\/www.w3.org\/TR\/CSP3\/"},{"key":"15_CR7","unstructured":"Cross site scripting (XSS). https:\/\/owasp.org\/www-community\/attacks\/xss\/"},{"key":"15_CR8","unstructured":"CSP:script-src - HTTP|MDN. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/Content-Security-Policy\/script-src"},{"key":"15_CR9","unstructured":"CVE-2014-7183. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-7183"},{"key":"15_CR10","unstructured":"CVE-2020-15139. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-15139"},{"key":"15_CR11","unstructured":"CVE-2021-36823. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-36823"},{"key":"15_CR12","unstructured":"Esprima. https:\/\/esprima.org\/"},{"key":"15_CR13","unstructured":"Esprima: Parser. https:\/\/docs.esprima.org\/en\/latest\/syntax-tree-format.html"},{"key":"15_CR14","unstructured":"PhpBB - Free and Open Source Forum Software. https:\/\/www.phpbb.com\/"},{"key":"15_CR15","unstructured":"PhpMyAdmin. https:\/\/www.phpmyadmin.net\/"},{"key":"15_CR16","unstructured":"Search CVE list. https:\/\/cve.mitre.org\/cve\/search_cve_list.html"},{"key":"15_CR17","unstructured":"Selenium. https:\/\/selenium.dev"},{"key":"15_CR18","unstructured":"Squirrelmail - Webmail for nuts! https:\/\/squirrelmail.org\/"},{"key":"15_CR19","unstructured":"The Open Source Enterprise Wiki and Web Application Platform. https:\/\/twiki.org\/"},{"key":"15_CR20","unstructured":"Using a nonce with CSP. https:\/\/content-security-policy.com\/nonce\/"},{"key":"15_CR21","unstructured":"Websites using LiteCart. https:\/\/trends.builtwith.com\/websitelist\/LiteCart"},{"key":"15_CR22","unstructured":"What is a Sitemap? https:\/\/developers.google.com\/search\/docs\/crawling-indexing\/sitemaps\/overview"},{"key":"15_CR23","unstructured":"Wordpress.com: Built a Site, Sell Your Stuff, Start a Blog & More. https:\/\/squirrelmail.org\/"},{"key":"15_CR24","unstructured":"World Wide Web Consortium (W3C). https:\/\/www.w3.org\/"},{"key":"15_CR25","unstructured":"XAMPP Installers and Downloaders for Apache Friends. https:\/\/www.apachefriends.org\/index.html"},{"key":"15_CR26","unstructured":"Azad, B.A., Laperdrix, P., Nikiforakis, N.: Less is more: Quantifying the security benefits of debloating web applications. In: Proceedings of USENIX Security Symposium. Santa Clara, CA, USA, August 2019"},{"key":"15_CR27","doi-asserted-by":"crossref","unstructured":"Balzarotti, D., et al.: Saner: Composing static and dynamic analysis to validate sanitization in web applications. In: Proceedings of IEEE Symposium on Security and Privacy (S &P). Oakland, CA, USA, May 2008","DOI":"10.1109\/SP.2008.22"},{"key":"15_CR28","unstructured":"Bisht, P., Venkatakrishnan, V.N.: XSS-guard: precise dynamic prevention of cross-site scripting attacks. In: Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA). Paris, France, July 2008"},{"key":"15_CR29","doi-asserted-by":"crossref","unstructured":"Calzavara, S., Rabitti, A., Bugliesi, M.: Content security problems? In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS). Vienna, Austria, October 2016","DOI":"10.1145\/2976749.2978338"},{"key":"15_CR30","unstructured":"Calzavara, S., Rabitti, A., Bugliesi, M.: CCSP: controlled relaxation of content security policies by runtime policy composition. In: Proceedings of USENIX Security Symposium. Vancouver, BC, Canada, August 2017"},{"key":"15_CR31","doi-asserted-by":"crossref","unstructured":"Cui, Y., Cui, J., Hu, J.: A survey on XSS attack detection and prevention in web applications. In: Proceedings of the International Conference on Machine Learning and Computing (ICMLC). Shenzhen, China, February 2020","DOI":"10.1145\/3383972.3384027"},{"key":"15_CR32","unstructured":"Doup\u00e9, A., Cavedon, L., Kruegel, C., Vigna, G.: Enemy of the state: a state-aware black-box web vulnerability scanner. In: Proceedings of USENIX Security Symposium. Bellevue, WA, USA, August 2012"},{"key":"15_CR33","doi-asserted-by":"crossref","unstructured":"Doup\u00e9, A., Cui, W., Jakubowski, M.H., Peinado, M., Kruegel, C., Vigna, G.: Dedacota: toward preventing server-side xss via automatic code and data separation. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS). Berlin, Germany, November 2013","DOI":"10.1145\/2508859.2516708"},{"key":"15_CR34","doi-asserted-by":"crossref","unstructured":"Fazzini, M., Saxena, P., Orso, A.: Autocsp: automatically retrofitting CSP to web applications. In: Proceedings of IEEE\/ACM International Conference on Software Engineering (ICSE). Florence, Italy, May 2015","DOI":"10.1109\/ICSE.2015.53"},{"key":"15_CR35","doi-asserted-by":"crossref","unstructured":"Huang, Y.W., Huang, S.K., Lin, T.P., Tsai, C.H.: Web application security assessment by fault injection and behavior monitoring. In: Proceedings of the International Conference on World Wide Web (WWW). Budapest, Hungary, May 2003","DOI":"10.1145\/775173.775174"},{"key":"15_CR36","doi-asserted-by":"crossref","unstructured":"Lekies, S., Kotowicz, K., Gro\u00df, S., Vela\u00a0Nava, E.A., Johns, M.: Code-reuse attacks for the web: Breaking cross-site scripting mitigations via script gadgets. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS). Dallas, TX, USA, October 2017","DOI":"10.1145\/3133956.3134091"},{"key":"15_CR37","unstructured":"Lekies, S., Stock, B., Wentzel, M., Johns, M.: The unexpected dangers of dynamic JavaScript. In: Proceedings of USENIX Security Symposium. Washington, D.C., USA, August 2015"},{"key":"15_CR38","doi-asserted-by":"crossref","unstructured":"Louw, M.T., Venkatakrishnan, V.: Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. In: Proceedings of IEEE Symposium on Security and Privacy (S &P). Oakland, CA, USA, May 2009","DOI":"10.1109\/SP.2009.33"},{"key":"15_CR39","doi-asserted-by":"crossref","unstructured":"Meyerovich, L.A., Livshits, B.: Conscript: specifying and enforcing fine-grained security policies for JavaScript in the browser. In: Proceedings of IEEE Symposium on Security and Privacy (S &P), Oakland, CA, USA, May 2010","DOI":"10.1109\/SP.2010.36"},{"key":"15_CR40","unstructured":"Nielsen, J.: Usability Engineering. Kaufmann (2009)"},{"key":"15_CR41","doi-asserted-by":"crossref","unstructured":"Pan, X., Cao, Y., Liu, S., Zhou, Y., Chen, Y., Zhou, T.: Cspautogen: black-box enforcement of content security policy upon real-world websites. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), Vienna, Austria, October 2016","DOI":"10.1145\/2976749.2978384"},{"key":"15_CR42","doi-asserted-by":"crossref","unstructured":"Roth, S., Barron, T., Calzavara, S., Nikiforakis, N., Stock, B.: Complex security policy? a longitudinal analysis of deployed content security policies. In: Proceedings of Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA, February 2020","DOI":"10.14722\/ndss.2020.23046"},{"key":"15_CR43","doi-asserted-by":"crossref","unstructured":"Saiedian, H., Broyle, D.: Security vulnerabilities in the same-origin policy: implications and alternatives. IEEE Computer (2011)","DOI":"10.1109\/MC.2011.226"},{"key":"15_CR44","doi-asserted-by":"crossref","unstructured":"Samuel, M., Saxena, P., Song, D.: Context-sensitive auto-sanitization in web templating languages using type qualifiers. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), Chicago, IL, USA, October 2011","DOI":"10.1145\/2046707.2046775"},{"key":"15_CR45","doi-asserted-by":"crossref","unstructured":"Saxena, P., Molnar, D., Livshits, B.: Scriptgard. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), Chicago, IL, USA, October 2011","DOI":"10.1145\/2046707.2046776"},{"key":"15_CR46","doi-asserted-by":"crossref","unstructured":"Steffens, M., Musch, M., Johns, M., Stock, B.: Whos hosting the block party? Studying third-party blockage of CSP and SRI. In: Proceedings of Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA, February 2021","DOI":"10.14722\/ndss.2021.24028"},{"key":"15_CR47","doi-asserted-by":"crossref","unstructured":"Weichselbaum, L., Spagnuolo, M., Lekies, S., Janc, A.: CSP is dead, long live CSP! On the insecurity of whitelists and the future of content security policy. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), Vienna, Austria, October 2016","DOI":"10.1145\/2976749.2978363"},{"key":"15_CR48","doi-asserted-by":"crossref","unstructured":"Weissbacher, M., Lauinger, T., Robertson, W.: Why is CSP failing? Trends and challenges in CSP adoption. In: Proceedings of the International Symposium on Research in Attacks, Intrusions and Defenses (RAID). Gothenburg, Sweden, September 2014","DOI":"10.1007\/978-3-319-11379-1_11"},{"key":"15_CR49","first-page":"862","volume":"19","author":"G Xu","year":"2020","unstructured":"Xu, G., et al.: JSCSP: a novel policy-based XSS defense mechanism for browsers. IEEE Trans. Dependable Secur. Comput. 19, 862\u2013878 (2020)","journal-title":"IEEE Trans. Dependable Secur. Comput."}],"container-title":["Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering","Security and Privacy in Communication Networks"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-94455-0_15","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,9,30]],"date-time":"2025-09-30T22:14:23Z","timestamp":1759270463000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-94455-0_15"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,9,5]]},"ISBN":["9783031944543","9783031944550"],"references-count":49,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-94455-0_15","relation":{},"ISSN":["1867-8211","1867-822X"],"issn-type":[{"type":"print","value":"1867-8211"},{"type":"electronic","value":"1867-822X"}],"subject":[],"published":{"date-parts":[[2025,9,5]]},"assertion":[{"value":"5 September 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"SecureComm","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Security and Privacy in Communication Systems","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Dubai","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"United Arab Emirates","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2024","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"28 October 2024","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"30 October 2024","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"20","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"securecomm2024","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/securecomm.eai-conferences.org\/2024\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}