Web Mitigation Metrics

§ Content Security Policy

We believe that a carefully-crafted Content Security Policy can help protect web applications from injection attacks that would otherwise lead to script execution. Strict CSP is a reasonable approach, one which we'd like to encourage.

The data below is gathered from Chrome's usage statistics, and represents the percentage of Chrome page loads that use CSP at all, that define a Strict CSP, and that define a Stricter CSP that avoids 'strict-dynamic'.

Web Platform Tests: /content-security-policy

Chrome Edge Firefox Safari
91.87% 91.95% 81.54% 78.99%

§ Trusted Types

Trusted Types give developers the ability to avoid the risks of dumping raw strings into DOM methods and setters that can cause script execution.

The data below is gathered from Chrome's usage statistics, and represents the percentage of Chrome page loads that use Trusted Types in either enforcing or reporting mode, and of those, which enforce Trusted Types.

Web Platform Tests: /trusted-types

Chrome Edge Firefox Safari
93.60% 93.60% 9.80% 9.87%

§ Isolation

Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy help developers mitigate the risk of Spectre and similar attacks.

The data below is gathered from Chrome's usage statistics, and represents the percentage of Chrome page loads that use COOP and COEP, and those that have opted into cross-origin isolation by using both.

Web Platform Tests:

CORP: /fetch/cross-origin-resource-policy

Chrome Edge Firefox Safari
99.07% 99.07% 99.07% 99.07%

COEP: /html/cross-origin-embedder-policy

Chrome Edge Firefox Safari
91.07% 91.77% 78.35% 78.28%

COOP:/html/cross-origin-opener-policy

Chrome Edge Firefox Safari
88.60% 87.81% 74.88% 79.48%

§ Subresource Integrity

Developers can ensure that they load only the script and style resources they intend to load, mitigating the risk that an untrusted server could replace it maliciously, by adding integrity attributes to elements as defined in Subresource Integrity. This, especially in combination with CSP is a powerful tool, which we'd like to encourage folks to use.

The data below is gathered from Chrome's usage statistics, and represents the percentage of Chrome page loads that use SRI successfully, and those that have resources which fail an SRI check.

Web Platform Tests: /subresource_integrity

Chrome Edge Firefox Safari
100.00% 100.00% 100.00% 100.00%

§ Sandboxing

Documents can be placed into a sandbox, giving them an opaque origin, and limiting their ability to take certain actions, like navigating the top-level document, execute script, submit forms, and so on. This can be done either via the sandbox IFrame attribute or via the sandbox CSP directive.

The data below is gathered from Chrome's usage statistics, representing the percentage of Chrome page loads that sandbox a document via either IFrame attributes, or CSP directives.

Web Platform Tests: ?"sandbox"

Chrome Edge Firefox Safari
75.49% 76.29% 74.50% 57.10%

§ Fetch Metadata

The information provided in the HTTP request headers defined by Fetch Metadata can give servers the ability to defend themselves from side-channel attacks by making better decisions about which requests to respond to, and which to reject a priori. We believe that a Resource Isolation Policy is a robust approach to some common cross-site vulnerabilities, and we encourage its implementation.

Web Platform Tests: /fetch/metadata

Chrome Edge Firefox Safari
94.19% 94.33% 95.28% 77.80%

§ HTML Sanitizer API

The HTML Sanitizer API allow developers to take untrusted strings of HTML, and sanitize them for safe insertion into a document’s DOM to minimize the risk of unintended script execution.

Web Platform Tests: /sanitizer-api

Chrome Edge Firefox Safari
6.18% 6.18% 12.73% 12.73%