Medium and Content Security Policy


Content Security Policy (CSP) is a way to provide Medium users an added layer of security against Cross Site Scripting (XSS) attacks.

XSS attacks typically happen when malicious user-generated content bypasses a website’s security mechanisms, causing it to deliver executable code to a user. This code then runs in the user’s browser to perform some sort of malicious activity.

To reduce the likelihood of successful XSS happening on Medium, we use a CSP response header to explicitly whitelist domains considered by Medium to be legitimate sources of executable code.

Disadvantages of CSP

One disadvantage of CSP is maintaining a whitelist of permitted sources. This typically involves communicating with third party sites to determine that their inclusion is legitimate. While implementing CSP for Medium, we took care to minimize any interruptions.

There can be other implementation challenges. For example, in order to embed Twitter widgets correctly we learned that we needed to set csp=on in the application.

On top of this, CSP depends on being correctly implemented in the browser — which isn’t always the case. Notably, the Safari browser will incorrectly block user-installed plugins from injecting data, which affects services such as Evernote.

Use of CSP on the Internet

Anecdotally, use of CSP on the Internet is not widespread. This post reports that it is used by 1% of the Alexa Top 100 (the post also discusses implementation challenges in more detail than you will find here). It is used by Medium and GitHub. Twitter has done considerable research into it and is still running it in report-only mode (see their blog post here). It may seem ironic that many of the posts that speak highly of CSP do not themselves use it, though its value for them is largely diminished by the fact that they are not explicitly designed to present user-generated content. What is more interesting is that many sites that do present user-generated content still do not use CSP even though the specification for it dates back to 2012 (that includes Blogger, Tumblr and WordPress).

Why does Medium use CSP?

We use CSP for its stated purpose: Providing an additional layer of security for the users of Medium. At Medium, it’s been implemented for the same reason that motivates our explicit redirection of all unencrypted traffic to https, and the use of the Strict Transport Security response header — protecting our users.

We also hope that this will encourage other services to use CSP, and encourage browser vendors to implement CSP according to the specification, which would benefit Internet users’ security generally. We understand that there’s no concrete reason to believe that will happen, but this is something we are currently willing and able to do.

At Medium we know keeping our whitelist will incur recurring maintenance costs. We also understand that it could conceivably run into technical limitations as the list gets longer (and it is pretty long already). However, right now these considerations don’t outweigh our belief that using CSP is the best thing to do for our users.