A number of years ago I was trying to renew my subscription to a well-known antivirus tool and found that there were 37 different URLs invoked on the checkout page, including two with .cn TLDs. Needless to say, the renewal didn’t happen.
If you use a browser plugin such as ghostery, you have probably been astounded at how many apparently superfluous connections are made to external organizations when you navigate even to well-known organizations with your browser. Those connections are there to track your every move, and potentially harvest every piece of data you enter.
Cross site scripting (XSS), Cross site request forgery (XSRF), and other horrors have evolved over time, as weaknesses in browsers have been exploited.
A recent case that was highlighted during an interesting session of the PCI North American Community Meeting, showed where malicious adverts, delivered only occasionally to the company’s website through allowed offsite content frames, were skimming the Cardholder Data (CHD).
While it is easy for an individual who knows what they are doing to install and use a tool such as ghostery to warn of such hidden URL connections, it is a lot harder for an enterprise to ask their staff to monitor such things, and naive to expect that customers will do so.
Even within a corporate environment, not many organizations record browser traffic to the degree necessary to see such things, and the DNS log or address resolution protocol logs are rarely reviewed to ensure that all the DNS resolution requests make sense. This ties in with all those superfluous (or even malicious) URLs on a page in terms of potentially expected browser frames being used to facilitate data theft. It is very difficult to track random malicious advert delivery and requires excellent diagnostic rigor to detect.
Enter the Content Security Policy (CSP) set of headers. These allow the web developer to restrict where a page, whoever it is served to, may get additional information from, and whether those pages can themselves pull information from yet more deeply embedded (thoroughly obscured) sources. The biggest caveat is that you have to put a CSP header on every single page you want to control, they are NOT inherited from one page to the next as part of the cascaded style sheets. This allows for highly precise control, and allows adverts for instance on your top-level pages, and total lockdown within your checkout and payment pages. Thus everyone is better protected, consumers, advertisers, and your PCI data.
As a PCI DSS assessor, I may be asking questions about where your CSP headers exist in your next assessment!