We recently started using CSP (Content Security Policy) on some of our websites. The primary goal was to make the websites more secure, but along the way we also learned a lot about browser extensions making requests to adservers and other kinds of adware and malware.
CSP in a Nutshell
CSP works like this:
- The website’s admin configures a whitelist of third party websites and resources that are legitimately used when visiting the website. This includes external CDNs, analytics services and such.
- Requests to any other host will be blocked by the browser. This mitigates attacks like XSS (Cross Site Scripting) or data injection.
When we deployed CSP on our sites we meticulously crafted the whitelists to include all legitimate resources. But we still get quite a lot of CSP violation reports – reports about requests to non-whitelisted hosts that have been blocked by the browser.
These reports could be caused by attempted XSS or data injection attacks. After all, blocking these kind of attacks is exactly the purpose of CSP. However, we investigated our application logfiles and data and confirmed that no attacks had been attempted.
This leaves us with the second cause for CSP violation reports: Browser extensions.
Browser Extensions causing CSP Violations
Here’s a breakdown of the top blocked domains according to the CSP violation reports we get.
All of these requests are caused by browser extensions, adware, or malware.
Analysis of Blocked Domains
Some blocked requests are innocuous, for example:
fonts.googleapis.comhosts Google Webfonts, these requests seem to originate from browser extensions like Font Changer with Google Web Fonts™.
maxcdn.bootstrap.cdnis the CDN for the Boostrap UI framework. This is likely to be caused by browser extensions relying on Bootstrap for their UI.
Other blocked hosts are part of ad delivery networks. These requests seem to be caused by adware or browser extensions behaving like adware:
secure.surfbuyermac.comrelates to the “SurfBuyer” adware, also known as “MyShopBot”, “My WebEnhancer”, “My ShopMate” and various other names. Once installed it “enables placement of third party graphical content on any site […] thereby significantly diminishing the web browsing experience.”
cdncash.comare adservers used by several browser extensions like “Screengrab” or “S3.Google Translator”. These extensions also inject unrelated ads into the webpages you’re visiting.
There’s a third group of blocked hosts that seem related to (or at least used by) malware like viruses, trojans, ransomware, scamware and such. For example, searching VirusTotal for s.pmddby.com or eluxer.net shows up a lot of malware files embedding these domains, including viruses like Win32/Sality and Win32/Dynamer!ac.
Of course these domains are not exclusively used by malware, so (blocked) connections to these hosts does not necessarily imply that your computer is infected.
Nicolas Hoffmann is putting together a comprehensive list of WTFs in CSP notifications on GitHub: github.com/nico3333fr/CSP-useful/tree/master/csp-wtf
Conclusio: Watch Your Browser Extensions!
Browser extensions are powerful and convenient tools. But they also might annoy you by displaying (even more) ads and popups, and some have even been found to track and sell your complete browsing history. Be picky about the extensions you install in the first place, and remove any extensions you don’t really need.
We take security seriously in everything we do. Need advice?