Web Mitigation Metrics
§
Content Security Policy
We believe that a carefully-crafted
Content Security Policy
can help protect web applications from injection attacks that would otherwise lead to script
execution. Strict CSP is a
reasonable approach, one which we'd like to encourage.
The data below is gathered from
Chrome's usage statistics,
and represents the percentage of Chrome page loads that use CSP at all, that define a
Strict CSP, and that define
a Stricter CSP that avoids 'strict-dynamic'
.
Chrome |
Edge |
Firefox |
Safari |
91.87% |
91.95% |
81.54% |
78.99% |
§
Trusted Types
Trusted Types give developers
the ability to avoid the risks of dumping raw strings into DOM methods and setters that can
cause script execution.
The data below is gathered from
Chrome's usage statistics,
and represents the percentage of Chrome page loads that use Trusted Types in either enforcing
or reporting mode, and of those, which enforce Trusted Types.
Chrome |
Edge |
Firefox |
Safari |
93.60% |
93.60% |
9.80% |
9.87% |
§
Isolation
Cross-Origin-Opener-Policy
and Cross-Origin-Embedder-Policy
help
developers mitigate the risk of Spectre and similar
attacks.
The data below is gathered from
Chrome's usage statistics,
and represents the percentage of Chrome page loads that use COOP and COEP, and those that
have opted into cross-origin isolation by using both.
Chrome |
Edge |
Firefox |
Safari |
99.07% |
99.07% |
99.07% |
99.07% |
Chrome |
Edge |
Firefox |
Safari |
91.07% |
91.77% |
78.35% |
78.28% |
Chrome |
Edge |
Firefox |
Safari |
88.60% |
87.81% |
74.88% |
79.48% |
§
Subresource Integrity
Developers can ensure that they load only the script and style resources they intend to load,
mitigating the risk that an untrusted server could replace it maliciously, by adding
integrity
attributes to elements as defined in
Subresource Integrity. This, especially
in combination with CSP is
a powerful tool, which we'd like to encourage folks to use.
The data below is gathered from
Chrome's usage statistics,
and represents the percentage of Chrome page loads that use SRI successfully, and those that
have resources which fail an SRI check.
Chrome |
Edge |
Firefox |
Safari |
100.00% |
100.00% |
100.00% |
100.00% |
§
Sandboxing
Documents can be placed into a sandbox, giving them an opaque origin, and limiting their
ability to take certain actions, like navigating the top-level document, execute script,
submit forms, and so on. This can be done either via the
sandbox
IFrame attribute
or via the sandbox
CSP directive.
The data below is gathered from
Chrome's usage statistics,
representing the percentage of Chrome page loads that sandbox a document via either IFrame
attributes, or CSP directives.
Chrome |
Edge |
Firefox |
Safari |
75.49% |
76.29% |
74.50% |
57.10% |
The information provided in the HTTP request headers defined by
Fetch Metadata
can give servers the ability to defend themselves from side-channel attacks by making
better decisions about which requests to respond to, and which to reject a priori.
We believe that a
Resource Isolation Policy
is a robust approach to some common cross-site vulnerabilities, and we encourage its implementation.
Chrome |
Edge |
Firefox |
Safari |
94.19% |
94.33% |
95.28% |
77.80% |
§
HTML Sanitizer API
The HTML Sanitizer API allow developers to take untrusted strings of HTML, and sanitize them for safe insertion into a document’s DOM to minimize the risk of unintended script execution.
Chrome |
Edge |
Firefox |
Safari |
6.18% |
6.18% |
12.73% |
12.73% |