On the Content Security Policy Violations due to the Same-Origin Policy

Modern browsers implement different security policies such as the Content Security Policy (CSP), a mechanism designed to mitigate popular web vulnerabilities, and the Same Ori- gin Policy (SOP), a mechanism that governs interactions between resources of web pages. In this work, we describe how CSP may be violated due to the SOP when a page contains an embedded iframe from the same origin. We analyse 1 million pages from 10,000 top Alexa sites and report that in 94% of cases, CSP may be vio- lated in presence of the document.domain API and in 23.5% of cases CSP may be violated without any assumptions. During our study, we also identified a divergence among browsers implementations in the enforcement of CSP in sr- cdoc sandboxed iframes, which actually reveals an inconsis- tency between the CSP and the HTML5 specification sand- box attribute for iframes. To ameliorate the problematic conflicts of the security mechanisms, we discuss measures to avoid CSP violations.