{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,18]],"date-time":"2026-03-18T10:45:55Z","timestamp":1773830755991,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":39,"publisher":"ACM","license":[{"start":{"date-parts":[[2016,10,24]],"date-time":"2016-10-24T00:00:00Z","timestamp":1477267200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-sa\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2016,10,24]]},"DOI":"10.1145\/2976749.2978363","type":"proceedings-article","created":{"date-parts":[[2016,10,25]],"date-time":"2016-10-25T12:46:35Z","timestamp":1477399595000},"page":"1376-1387","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":66,"title":["CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy"],"prefix":"10.1145","author":[{"given":"Lukas","family":"Weichselbaum","sequence":"first","affiliation":[{"name":"Google, Z\u00fcrich, Switzerland"}]},{"given":"Michele","family":"Spagnuolo","sequence":"additional","affiliation":[{"name":"Google, Z\u00fcrich, Switzerland"}]},{"given":"Sebastian","family":"Lekies","sequence":"additional","affiliation":[{"name":"Google, Z\u00fcrich, Switzerland"}]},{"given":"Artur","family":"Janc","sequence":"additional","affiliation":[{"name":"Google, Z\u00fcrich, Switzerland"}]}],"member":"320","published-online":{"date-parts":[[2016,10,24]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"USENIX conference on Web application development","author":"Athanasopoulos E.","year":"2010","unstructured":"E. Athanasopoulos , V. Pappas , A. Krithinakis , S. Ligouras , E. P. Markatos , and T. Karagiannis . xjs: practical xss prevention for web application development . In USENIX conference on Web application development , 2010 . E. Athanasopoulos, V. Pappas, A. Krithinakis, S. Ligouras, E. P. Markatos, and T. Karagiannis. xjs: practical xss prevention for web application development. In USENIX conference on Web application development, 2010."},{"key":"e_1_3_2_1_2_1","volume-title":"Bug 54379 - add basic parser for content security policy","author":"Barth A.","year":"2011","unstructured":"A. Barth . Bug 54379 - add basic parser for content security policy , 2011 . A. Barth. Bug 54379 - add basic parser for content security policy, 2011."},{"key":"e_1_3_2_1_3_1","volume-title":"Content security policy level 2. W3C Working Draft","author":"Barth A.","year":"2014","unstructured":"A. Barth , D. Veditz , and M. West . Content security policy level 2. W3C Working Draft , 2014 . A. Barth, D. Veditz, and M. West. Content security policy level 2. W3C Working Draft, 2014."},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/1772690.1772701"},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/1653662.1653713"},{"key":"e_1_3_2_1_6_1","unstructured":"CERT. Advisory ca-2000-02 malicious html tags embedded in client web requests Feb. 2000.  CERT. Advisory ca-2000-02 malicious html tags embedded in client web requests Feb. 2000."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516708"},{"key":"e_1_3_2_1_8_1","unstructured":"M. Foundation. Csp policy directives 2016.  M. Foundation. Csp policy directives 2016."},{"key":"e_1_3_2_1_9_1","volume-title":"NDSS","author":"Gundy M. V.","year":"2009","unstructured":"M. V. Gundy and H. Chen . Noncespaces: Using randomization to enforce information flow tracking and thwart cross-site scripting attacks . In NDSS , 2009 . M. V. Gundy and H. Chen. Noncespaces: Using randomization to enforce information flow tracking and thwart cross-site scripting attacks. In NDSS, 2009."},{"key":"e_1_3_2_1_10_1","volume-title":"Clickjacking","author":"Hansen R.","year":"2008","unstructured":"R. Hansen and J. Grossman . Clickjacking , 2008 . R. Hansen and J. Grossman. Clickjacking, 2008."},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-20550-2_14"},{"key":"e_1_3_2_1_12_1","volume-title":"Same origin method execution (some): Exploiting a callback for same origin policy bypass","author":"Hayak B.","year":"2014","unstructured":"B. Hayak . Same origin method execution (some): Exploiting a callback for same origin policy bypass , 2014 . B. Hayak. Same origin method execution (some): Exploiting a callback for same origin policy bypass, 2014."},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382276"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516723"},{"key":"e_1_3_2_1_15_1","volume-title":"Using content-security-policy for evil","author":"Homakov E.","year":"2014","unstructured":"E. Homakov . Using content-security-policy for evil , 2014 . E. Homakov. Using content-security-policy for evil, 2014."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/1242572.1242654"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jisa.2014.03.007"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2006.29"},{"key":"e_1_3_2_1_19_1","unstructured":"C. Kerschbaumer S. Stamm and S. Brunthaler. Injecting csp for fun and security.  C. Kerschbaumer S. Stamm and S. Brunthaler. Injecting csp for fun and security."},{"key":"e_1_3_2_1_20_1","volume-title":"Dom based cross site scripting or xss of the third kind","author":"Klein A.","year":"2005","unstructured":"A. Klein . Dom based cross site scripting or xss of the third kind . Web Application Security Consortium Articles 4, 2005 . A. Klein. Dom based cross site scripting or xss of the third kind. Web Application Security Consortium Articles 4, 2005."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516703"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2009.33"},{"key":"e_1_3_2_1_23_1","unstructured":"G. Maone. Noscript.  G. Maone. Noscript."},{"key":"e_1_3_2_1_24_1","unstructured":"MITRE. Common vulnerabilities and exposures - the standard for information security vulnerability names.  MITRE. Common vulnerabilities and exposures - the standard for information security vulnerability names."},{"key":"e_1_3_2_1_25_1","volume-title":"NDSS","author":"Nadji Y.","year":"2009","unstructured":"Y. Nadji , P. Saxena , and D. Song . Document structure integrity: A robust basis for cross-site scripting defense . In NDSS , 2009 . Y. Nadji, P. Saxena, and D. Song. Document structure integrity: A robust basis for cross-site scripting defense. In NDSS, 2009."},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455783"},{"key":"e_1_3_2_1_27_1","author":"Patil K.","year":"2016","unstructured":"K. Patil and B. Frederik . A measurement study of the content security policy on real-world applications. International Journal of Network Security , 2016 . K. Patil and B. Frederik. A measurement study of the content security policy on real-world applications. International Journal of Network Security, 2016.","journal-title":"International Journal of Network Security"},{"key":"e_1_3_2_1_28_1","volume-title":"IE 8 xss filter architecture\/implementation. Blog: http:\/\/goo.gl\/eOiPsI","author":"Ross D.","year":"2008","unstructured":"D. Ross . IE 8 xss filter architecture\/implementation. Blog: http:\/\/goo.gl\/eOiPsI , 2008 . D. Ross. IE 8 xss filter architecture\/implementation. Blog: http:\/\/goo.gl\/eOiPsI, 2008."},{"key":"e_1_3_2_1_29_1","volume-title":"NDSS","author":"Saxena P.","year":"2010","unstructured":"P. Saxena , S. Hanna , P. Poosankam , and D. Song . Flax: Systematic discovery of client-side validation vulnerabilities in rich web applications . In NDSS , 2010 . P. Saxena, S. Hanna, P. Poosankam, and D. Song. Flax: Systematic discovery of client-side validation vulnerabilities in rich web applications. In NDSS, 2010."},{"key":"e_1_3_2_1_30_1","volume-title":"May","author":"Security W.","year":"2013","unstructured":"W. Security . Website security statistics report , May 2013 . W. Security. Website security statistics report, May 2013."},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/1772690.1772784"},{"key":"e_1_3_2_1_32_1","volume-title":"Creating a safer web with content security policy","author":"Sterne B.","year":"2011","unstructured":"B. Sterne . Creating a safer web with content security policy , 2011 . B. Sterne. Creating a safer web with content security policy, 2011."},{"key":"e_1_3_2_1_33_1","volume-title":"USENIX Security","author":"Stock B.","year":"2014","unstructured":"B. Stock , S. Lekies , T. Mueller , P. Spiegel , and M. Johns . Precise client-side protection against dom-based cross-site scripting . In USENIX Security , 2014 . B. Stock, S. Lekies, T. Mueller, P. Spiegel, and M. Johns. Precise client-side protection against dom-based cross-site scripting. In USENIX Security, 2014."},{"key":"e_1_3_2_1_34_1","volume-title":"NDSS","author":"Vogt P.","year":"2007","unstructured":"P. Vogt , F. Nentwich , N. Jovanovic , E. Kirda , C. Kruegel , and G. Vigna . Cross site scripting prevention with dynamic data tainting and static analysis . In NDSS , 2007 . P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In NDSS, 2007."},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/1368088.1368112"},{"key":"e_1_3_2_1_36_1","unstructured":"M. Weissbacher T. Lauinger and W. Robertson. Why is csp failing? trends and challenges in csp adoption. In RAID'14.  M. Weissbacher T. Lauinger and W. Robertson. Why is csp failing? trends and challenges in csp adoption. In RAID'14."},{"key":"e_1_3_2_1_37_1","volume-title":"February, 2013.","author":"Wichers D.","year":"2013","unstructured":"D. Wichers . Owasp top-10 2013 . OWASP Foundation , February, 2013. D. Wichers. Owasp top-10 2013. OWASP Foundation, February, 2013."},{"key":"e_1_3_2_1_38_1","volume-title":"Online at http:\/\/lcamtuf.coredump.cx\/postxss","author":"Zalewski M.","year":"2011","unstructured":"M. Zalewski . Postcards from the post-xss world. Online at http:\/\/lcamtuf.coredump.cx\/postxss , 2011 . M. Zalewski. Postcards from the post-xss world. Online at http:\/\/lcamtuf.coredump.cx\/postxss, 2011."},{"key":"e_1_3_2_1_39_1","volume-title":"The subtle \/ deadly problem with csp. Online at http:\/\/goo.gl\/sK4w7q","author":"Zalewski M.","year":"2011","unstructured":"M. Zalewski . The subtle \/ deadly problem with csp. Online at http:\/\/goo.gl\/sK4w7q , 2011 . M. Zalewski. The subtle \/ deadly problem with csp. Online at http:\/\/goo.gl\/sK4w7q, 2011."}],"event":{"name":"CCS'16: 2016 ACM SIGSAC Conference on Computer and Communications Security","location":"Vienna Austria","acronym":"CCS'16","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2976749.2978363","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2976749.2978363","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T03:40:14Z","timestamp":1750218014000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2976749.2978363"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016,10,24]]},"references-count":39,"alternative-id":["10.1145\/2976749.2978363","10.1145\/2976749"],"URL":"https:\/\/doi.org\/10.1145\/2976749.2978363","relation":{},"subject":[],"published":{"date-parts":[[2016,10,24]]},"assertion":[{"value":"2016-10-24","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}