CSP

Content Security Policy (CSP) is a browser feature designed to mitigate certain types of attacks, like Cross-Site Scripting (XSS). It enables websites to specify which sources of content are allowed to be loaded and executed. However, some astute developers discovered that differences in CSP implementation across browsers and versions can be used as a fingerprinting technique.

CSP fingerprinting exploits differences in how browsers handle CSP violations. By deliberately causing violations and monitoring the resulting reports, one can discern specific browser characteristics, thereby pinpointing a specific browser version or even individual users.

How to Implement CSP Fingerprinting in JavaScript

Here’s a basic outline of how you can implement CSP fingerprinting:

  1. Setup CSP: Set a strict CSP for a webpage and include the report-uri or report-to directive, pointing to a server endpoint that collects violation reports.

    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; report-uri /csp-report-endpoint">
  2. Introduce Violations: Use JavaScript to dynamically load content or execute scripts that violate the defined CSP. This might include:

    • Loading an image from an unauthorized domain.
    • Inline script execution.
    • Using unauthorized APIs.
  3. Collect Reports: When the browser detects the violations, it will send a CSP report to the specified report-uri. This report will contain various details like the violated directive and the source of violation.

  4. Analyze Reports: Examine the reports for discrepancies in format, content, or other nuances, which can give clues about the browser’s make and version.