A digital omnivore is a person who uses multiple modalities (devices) to access the Internet and other media content in their daily life. As people increasingly own mobile devices, cross-platform multimedia consumption has continued to shape the digital landscape, both in terms of the type of media content they consume and how they consume it. As of 2021, at least half of all global digital traffic is generated by mobile devices. == Connected devices and digital consumption == A 2015 study of digital media consumption showed that smartphones were primarily used for communication, and tablets were primarily used for entertainment – additionally, both were frequently used in conjuncture with other devices, like televisions. An earlier 2011 analysis of the way consumers in the U.S. viewed news content on their devices throughout the day demonstrated how people use different mobile devices for different functions. On a typical weekend morning, digital omnivores accessed their news using their tablet, favored their computer during the working day, and returned to tablet use in the evening, peaking between the hours of 9pm and midnight. Mobile phones were used for web-browsing throughout the day when users were away from their personal computer. Increased Wi-Fi availability and mobile broadband adoption have changed the way people are going online. In August 2011, more than a third (37.2%) of U.S. digital traffic coming from mobile phones occurred via a Wi-Fi connection while tablets, which traditionally required a Wi-Fi connection to access the Internet, are increasingly driving traffic using mobile broadband access. As of 2021, LTE, 5G, and other forms of mobile broadband access are available on the majority of mobile devices. Tablets contributed nearly 2% of all web browsing traffic in the United States in 2011. During this period, iPads also began to account for a higher share of Internet traffic than iPhones (46.8% vs. 42.6% of all iOS device traffic. == Implications for marketing, advertisers and publishers == As of 2021, the average amount of time spent daily consuming digital media was eight hours, an increase from 2020 and a further increase from 2019, partially as a result of the COVID-19 pandemic. Social media platforms such as Instagram, Facebook, Twitter, and TikTok, as well as other online platforms like YouTube, incorporate advertisements into the in-app or online experience, with some offering the ability to shop for and sell items through the app or website.
Content Security Policy
Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. It is a Candidate Recommendation of the W3C working group on Web Application Security, widely supported by modern web browsers. CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website—covered types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features. == Status == The standard, originally named Content Restrictions, was proposed by Robert Hansen in 2004, first implemented in Firefox 4 and quickly picked up by other browsers. Version 1 of the standard was published in 2012 as W3C candidate recommendation and quickly with further versions (Level 2) published in 2014. As of 2023, the draft of Level 3 is being developed with the new features being quickly adopted by the web browsers. The following header names are in use as part of experimental CSP implementations: Content-Security-Policy – standard header name proposed by the W3C document. Google Chrome supports this as of version 25. Firefox supports this as of version 23, released on 6 August 2013. WebKit supports this as of version 528 (nightly build). Chromium-based Microsoft Edge support is similar to Chrome's. X-WebKit-CSP – deprecated, experimental header introduced into Google Chrome, Safari and other WebKit-based web browsers in 2011. X-Content-Security-Policy – deprecated, experimental header introduced in Gecko 2 based browsers (Firefox 4 to Firefox 22, Thunderbird 3.3, SeaMonkey 2.1). A website can declare multiple CSP headers, also mixing enforcement and report-only ones. Each header will be processed separately by the browser. CSP can also be delivered within the HTML code using a meta tag, although in this case its effectiveness will be limited. Internet Explorer 10 and Internet Explorer 11 also support CSP, but only sandbox directive, using the experimental X-Content-Security-Policy header. A number of web application frameworks support CSP, for example AngularJS (natively) and Django (middleware). Instructions for Ruby on Rails have been posted by GitHub. Web framework support is however only required if the CSP contents somehow depend on the web application's state—such as usage of the nonce origin. Otherwise, the CSP is rather static and can be delivered from web application tiers above the application, for example on load balancer or web server. === Bypasses === In December 2015 and December 2016, a few methods of bypassing 'nonce' allowlisting origins were published. In January 2016, another method was published, which leverages server-wide CSP allowlisting to exploit old and vulnerable versions of JavaScript libraries hosted at the same server (frequent case with CDN servers). In May 2017 one more method was published to bypass CSP using web application frameworks code. == Mode of operation == If the Content-Security-Policy header is present in the server response, a compliant client enforces the declarative allowlist policy. One example goal of a policy is a stricter execution mode for JavaScript in order to prevent certain cross-site scripting attacks. In practice this means that a number of features are disabled by default: Inline JavaScript code