{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,19]],"date-time":"2026-06-19T13:31:05Z","timestamp":1781875865358,"version":"3.54.5"},"publisher-location":"New York, NY, USA","reference-count":59,"publisher":"ACM","license":[{"start":{"date-parts":[[2021,11,12]],"date-time":"2021-11-12T00:00:00Z","timestamp":1636675200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2021,11,12]]},"DOI":"10.1145\/3460120.3484780","type":"proceedings-article","created":{"date-parts":[[2021,11,13]],"date-time":"2021-11-13T12:05:34Z","timestamp":1636805134000},"page":"3085-3103","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":22,"title":["12 Angry Developers - A Qualitative Study on Developers' Struggles with CSP"],"prefix":"10.1145","author":[{"given":"Sebastian","family":"Roth","sequence":"first","affiliation":[{"name":"CISPA Helmholtz Center for Information Security &amp; Saarland University, Saarbr\u00fccken, Germany"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Lea","family":"Gr\u00f6ber","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security &amp; Saarland University, Saarbr\u00fccken, Germany"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Michael","family":"Backes","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Katharina","family":"Krombholz","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Ben","family":"Stock","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2021,11,13]]},"reference":[{"issue":"4","key":"e_1_3_2_1_1_1","article-title":"Qualitative and quantitative research: Paradigmatic differences","volume":"2012","author":"Arghode Vishal","year":"2012","unstructured":"Vishal Arghode. Qualitative and quantitative research: Paradigmatic differences. Global Education Journal, 2012 (4), 2012.","journal-title":"Global Education Journal"},{"key":"e_1_3_2_1_2_1","volume-title":"RFC 6454: The Web Origin Concept. Online at https:\/\/www.ietf.org\/rfc\/rfc6454.txt","author":"Barth A.","year":"2011","unstructured":"A. Barth. RFC 6454: The Web Origin Concept. Online at https:\/\/www.ietf.org\/rfc\/rfc6454.txt, 2011."},{"key":"e_1_3_2_1_3_1","volume-title":"Introduction: Behind the scenes","author":"Blandford A","year":"2016","unstructured":"A Blandford, D Furniss, and S Makri. Introduction: Behind the scenes. 2016."},{"key":"e_1_3_2_1_4_1","unstructured":"]chromium-mixed-contentChromium Blog. Protecting users from insecure downloads in google chrome. https:\/\/blog.chromium.org\/2020\/02\/protecting-users-from-insecure.html a ."},{"key":"e_1_3_2_1_5_1","unstructured":"]firefox-https-onlyMozilla Security Blog. Firefox 83 introduces https-only mode. https:\/\/blog.mozilla.org\/security\/2020\/11\/17\/firefox-83-introduces-https-only-mode\/ b ."},{"key":"e_1_3_2_1_6_1","volume-title":"Using thematic analysis in psychology. Qualitative research in psychology, 3 (2): 77--101","author":"Braun Virginia","year":"2006","unstructured":"Virginia Braun and Victoria Clarke. Using thematic analysis in psychology. Qualitative research in psychology, 3 (2): 77--101, 2006."},{"key":"e_1_3_2_1_7_1","volume-title":"CCS","author":"Calzavara Stefano","year":"2016","unstructured":"Stefano Calzavara, Alvise Rabitti, and Michele Bugliesi. Content security problems?: Evaluating the effectiveness of content security policy in the wild. In CCS, 2016."},{"key":"e_1_3_2_1_8_1","first-page":"683","volume-title":"29th $$USENIX$$ Security Symposium ($$USENIX$$ Security 20)","author":"Calzavara Stefano","year":"2020","unstructured":"Stefano Calzavara, Sebastian Roth, Alvise Rabitti, Michael Backes, and Ben Stock. A tale of two headers: a formal analysis of inconsistent click-jacking protection on the web. In 29th $$USENIX$$ Security Symposium ($$USENIX$$ Security 20), pages 683--697, 2020."},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.23091"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1177\/0049124113500475"},{"key":"e_1_3_2_1_11_1","unstructured":"]csp-com-hashescontent-security policy.com. Csp: Hashing. https:\/\/content-security-policy.com\/hash\/ a ."},{"key":"e_1_3_2_1_12_1","unstructured":"]csp-com-noncescontent-security policy.com. Csp: Nonces. https:\/\/content-security-policy.com\/nonce\/ b ."},{"key":"e_1_3_2_1_13_1","unstructured":"MITRE Common Weakness Enumeration (CWE). Cve search for security vulnerabilities (cross site scripting (xss)). https:\/\/www.cvedetails.com\/vulnerability-list.php?vendor_id=0&product_id=0&version_id=0&page=15&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=1&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=1&trc=19379&sha=e3bb5586965f5a13bfaa78233a10ebc3f9606d12."},{"key":"e_1_3_2_1_14_1","unstructured":"diagrams.net. Diagrams. https:\/\/www.diagrams.net\/."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516708"},{"key":"e_1_3_2_1_16_1","unstructured":"TeamViewer Germany GmbH. Teamviewer. https:\/\/www.teamviewer.com\/."},{"key":"e_1_3_2_1_17_1","unstructured":"Google. Withgoogle: Content security policy. https:\/\/csp.withgoogle.com\/docs\/strict-csp.html."},{"key":"e_1_3_2_1_18_1","first-page":"170","volume-title":"HAISA","author":"Gorski Peter Leo","year":"2018","unstructured":"er]gorski2018warnPeter Leo Gorski, Luigi Lo Iacono, Stephan Wiefling, and Sebastian M\u00f6ller. Warn if secure or how to deal with security by default in software development?. In HAISA, pages 170--190, 2018."},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-20550-2_14"},{"key":"e_1_3_2_1_20_1","volume-title":"Same Origin Method Execution (SOME). Online at http:\/\/www.benhayak.com\/2015\/06\/same-origin-method-execution-some.html","author":"Hayak Ben","year":"2015","unstructured":"Ben Hayak. Same Origin Method Execution (SOME). Online at http:\/\/www.benhayak.com\/2015\/06\/same-origin-method-execution-some.html, 2015."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382276"},{"key":"e_1_3_2_1_22_1","volume-title":"ACM SIGSAC conference on Computer & communications security. ACM","author":"Heiderich Mario","year":"2013","unstructured":"Mario Heiderich, J\u00f6rg Schwenk, Tilman Frosch, Jonas Magazinius, and Edward Z Yang. mxss attacks: Attacking well-secured web-applications by using innerhtml mutations. In ACM SIGSAC conference on Computer & communications security. ACM, 2013."},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/2078827.2078845"},{"key":"e_1_3_2_1_24_1","unstructured":"Internet Security Research Group (ISRG). Let's encrypt. https:\/\/letsencrypt.org\/."},{"key":"e_1_3_2_1_25_1","unstructured":"Markus Jakobsson Zulfikar Ramzan and Sid Stamm. Javascript breaks free. http:\/\/citeseerx.ist.psu.edu\/viewdoc\/download?doi=10.1.1.85.3195&rep=rep1&type=pdf ."},{"key":"e_1_3_2_1_26_1","volume-title":"Educational research: Quantitative, qualitative, and mixed approaches","author":"Johnson Burke","year":"2008","unstructured":"Burke Johnson and Larry Christensen. Educational research: Quantitative, qualitative, and mixed approaches. Sage, 2008."},{"key":"e_1_3_2_1_27_1","first-page":"39","volume-title":"Eleventh Symposium On Usable Privacy and Security ($$SOUPS$$ 2015","author":"Kang Ruogu","year":"2015","unstructured":"Ruogu Kang, Laura Dabbish, Nathaniel Fruchter, and Sara Kiesler. ?my data just goes everywhere:\" user mental models of the internet and implications for privacy and security. In Eleventh Symposium On Usable Privacy and Security ($$SOUPS$$ 2015), pages 39--52, 2015."},{"key":"e_1_3_2_1_28_1","unstructured":"Amit Klein. Dom based cross site scripting or xss of the third kind. http:\/\/www.webappsec.org\/projects\/articles\/071105.shtml 2005."},{"key":"e_1_3_2_1_29_1","volume-title":"Content analysis: An introduction to its methodology","author":"Krippendorff Klaus","year":"2004","unstructured":"Klaus Krippendorff. Content analysis: An introduction to its methodology. Sage, London, 2004."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"crossref","unstructured":"Katharina Krombholz Karoline Busse Katharina Pfeffer Matthew Smith and Emanuel von Zezschwitz. \"If HTTPS Were Secure I Wouldn't Need 2FA\"-End User and Administrator Mental Models of HTTPS. IEEE Security & Privacy 2019.","DOI":"10.1109\/SP.2019.00060"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/1134285.1134355"},{"key":"e_1_3_2_1_32_1","volume-title":"Morgan Kaufmann","author":"Lazar Jonathan","year":"2017","unstructured":"Jonathan Lazar, Jinjuan Heidi Feng, and Harry Hochheiser. Research methods in human-computer interaction. Morgan Kaufmann, 2017."},{"key":"e_1_3_2_1_33_1","volume-title":"CCS","author":"Lekies Sebastian","year":"2013","unstructured":"Sebastian Lekies, Ben Stock, and Martin Johns. 25 million flows later: Large-scale detection of dom-based xss. In CCS, 2013."},{"key":"e_1_3_2_1_34_1","volume-title":"ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM","author":"Nava Vela","year":"2017","unstructured":"Vela Nava, and Johns]lekies2017codeSebastian Lekies, Krzysztof Kotowicz, Samuel Gro\u00df, Eduardo A Vela Nava, and Martin Johns. Code-reuse attacks for the web: Breaking cross-site scripting mitigations via script gadgets. In ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 2017."},{"key":"e_1_3_2_1_35_1","unstructured":"Calendly LLC. Calendly. https:\/\/calendly.com\/."},{"key":"e_1_3_2_1_36_1","first-page":"297","volume-title":"Fourteenth Symposium on Usable Privacy and Security ($$SOUPS$$ 2018","author":"Naiakshina Alena","year":"2018","unstructured":"Alena Naiakshina, Anastasia Danilova, Christian Tiefenau, and Matthew Smith. Deception task design in developer password studies: Exploring a student sample. In Fourteenth Symposium on Usable Privacy and Security ($$SOUPS$$ 2018), pages 297--313, 2018."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3313831.3376791"},{"key":"e_1_3_2_1_38_1","unstructured":"Mozilla Development Network. Csp: frame-ancestors. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/Content-Security-Policy\/frame-ancestors."},{"key":"e_1_3_2_1_39_1","volume-title":"Owasp top 10 web application security risks","author":"Application Security Open Web","year":"2017","unstructured":"Open Web Application Security Project (OWASP). Owasp top 10 web application security risks 2017. https:\/\/owasp.org\/www-project-top-ten\/2017\/A7_2017-Cross-Site_Scripting_(XSS)."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978384"},{"key":"e_1_3_2_1_41_1","unstructured":"Phil Ringnalda. Getting around IE's MIME type mangling. http:\/\/weblog.philringnalda.com\/2004\/04\/06\/getting-around-ies-mime-type-mangling."},{"key":"e_1_3_2_1_42_1","volume-title":"Happy 10th birthday cross-site scripting. Online at https:\/\/blogs.msdn.microsoft.com\/dross\/2009\/12\/15\/happy-10th-birthday-cross-site-scripting\/","author":"Ross David","year":"2009","unstructured":"David Ross. Happy 10th birthday cross-site scripting. Online at https:\/\/blogs.msdn.microsoft.com\/dross\/2009\/12\/15\/happy-10th-birthday-cross-site-scripting\/, 2009."},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"crossref","unstructured":"Roth Backes and Stock]roth2020assessingSebastian Roth Michael Backes and Ben Stock. Assessing the impact of script gadgets on csp at scale. 2020 a .","DOI":"10.1145\/3320269.3372201"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.23046"},{"key":"e_1_3_2_1_45_1","volume-title":"NDSS","author":"Saxena Prateek","year":"2010","unstructured":"Prateek Saxena, Steve Hanna, Pongsin Poosankam, and Dawn Song. Flax: Systematic discovery of client-side validation vulnerabilities in rich web applications. In NDSS, 2010."},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/3038912.3052634"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1145\/1772690.1772784"},{"key":"e_1_3_2_1_48_1","volume-title":"Don't trust the locals: Investigating the prevalence of persistent client-side cross-site scripting in the wild","author":"Steffens Marius","year":"2019","unstructured":"Marius Steffens, Christian Rossow, Martin Johns, and Ben Stock. Don't trust the locals: Investigating the prevalence of persistent client-side cross-site scripting in the wild. 2019."},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24028"},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813625"},{"key":"e_1_3_2_1_51_1","volume-title":"Grounded theory in practice","author":"Strauss Anselm","year":"1997","unstructured":"Anselm Strauss and Juliet M Corbin. Grounded theory in practice. Sage, London, 1997."},{"key":"e_1_3_2_1_52_1","volume-title":"The dangers of persistent web browser storage","author":"Sutton Michael","year":"2009","unstructured":"Michael Sutton. The dangers of persistent web browser storage, 2009."},{"key":"e_1_3_2_1_53_1","volume-title":"EU Commission Recommendation (2003\/361\/EC). Online at https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=CELEX:32003H0361","author":"Union European","year":"2003","unstructured":"European Union. EU Commission Recommendation (2003\/361\/EC). Online at https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=CELEX:32003H0361, 2003."},{"key":"e_1_3_2_1_54_1","volume-title":"Online at https:\/\/www.w3.org\/TR\/CSP1\/","author":"C. CSP","year":"2015","unstructured":"W3C. CSP 1.0. Online at https:\/\/www.w3.org\/TR\/CSP1\/, 2015."},{"key":"e_1_3_2_1_55_1","volume-title":"Online at https:\/\/www.w3.org\/TR\/CSP2\/","author":"C. CSP","year":"2016","unstructured":"]csp2W3C. CSP Level 2. Online at https:\/\/www.w3.org\/TR\/CSP2\/, 2016 a ."},{"key":"e_1_3_2_1_56_1","volume-title":"Online at https:\/\/www.w3.org\/TR\/CSP3\/","author":"C. CSP","year":"2016","unstructured":"]csp3W3C. CSP Level 3. Online at https:\/\/www.w3.org\/TR\/CSP3\/, 2016 b ."},{"key":"e_1_3_2_1_57_1","unstructured":"GitHub W3C webappsec csp. Issue 7: Csp: connect-src 'self' and websockets. https:\/\/github.com\/w3c\/webappsec-csp\/issues\/7."},{"key":"e_1_3_2_1_58_1","volume-title":"CCS","author":"Weichselbaum Lukas","year":"2016","unstructured":"Lukas Weichselbaum, Michele Spagnuolo, Sebastian Lekies, and Artur Janc. CSP is dead, long live CSP! On the insecurity of whitelists and the future of content security policy. In CCS, 2016."},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-11379-1_11"}],"event":{"name":"CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security","location":"Virtual Event Republic of Korea","acronym":"CCS '21","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3460120.3484780","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3460120.3484780","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T20:52:28Z","timestamp":1763499148000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3460120.3484780"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,11,12]]},"references-count":59,"alternative-id":["10.1145\/3460120.3484780","10.1145\/3460120"],"URL":"https:\/\/doi.org\/10.1145\/3460120.3484780","relation":{},"subject":[],"published":{"date-parts":[[2021,11,12]]},"assertion":[{"value":"2021-11-13","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}