blog/archive/2018/12/12.rss

   1 <?xml version="1.0" encoding="ISO-8859-1"?>
   2 <rss version='2.0' xmlns:lj='http://www.livejournal.org/rss/lj/1.0/'>
   3         <channel>
   4                 <title>Petter Reinholdtsen - Entries from December 2018</title>
   5                 <description>Entries from December 2018</description>
   6                 <link>http://people.skolelinux.org/pere/blog/</link>
   7
   8
   9         <item>
  10                 <title>Why is your site not using Content Security Policy / CSP?</title>
  11                 <link>http://people.skolelinux.org/pere/blog/Why_is_your_site_not_using_Content_Security_Policy___CSP_.html</link>
  12                 <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Why_is_your_site_not_using_Content_Security_Policy___CSP_.html</guid>
  13                 <pubDate>Sun, 9 Dec 2018 15:00:00 +0100</pubDate>
  14                 <description>&lt;p&gt;Yesterday, I had the pleasure of watching on Frikanalen the OWASP
  15 talk by Scott Helme titled
  16 &quot;&lt;a href=&quot;https://frikanalen.no/video/626080/&quot;&gt;What We’ve Learned From
  17 Billions of Security Reports&lt;/a&gt;&quot;.  I had not heard of the
  18 &lt;a href=&quot;https://en.wikipedia.org/wiki/Content_Security_Policy&quot;&gt;Content
  19 Security Policy standard&lt;/a&gt; nor its ability to &quot;call home&quot; when a
  20 browser detect a policy breach (I do not follow web page design
  21 development much these days), and found the talk very illuminating.&lt;/p&gt;
  22
  23 &lt;p&gt;The mechanism allow a web site owner to use HTTP headers to tell
  24 visitors web browser which sources (internal and external) are allowed to
  25 be used on the web site.  Thus it become possible to enforce a &quot;only
  26 local content&quot; policy despite web designers urge to fetch programs
  27 from random sites on the Internet, like the one
  28 &lt;a href=&quot;https://securityaffairs.co/wordpress/68966/hacking/browsealoud-plugin-hack.html&quot;&gt;enabling
  29 the attack&lt;/a&gt; reported by Scott Helme earlier this year.&lt;/p&gt;
  30
  31 &lt;p&gt;Using CSP seem like an obvious thing for a site admin to implement
  32 to take some control over the information leak that occur when
  33 external sources are used to render web pages, it is a mystery more
  34 sites are not using CSP?  It is being
  35 &lt;a href=&quot;https://www.w3.org/TR/CSP/&quot;&gt;standardized under W3C&lt;/a&gt; these
  36 days, and is supposed by most web browsers&lt;/p&gt;
  37
  38 &lt;p&gt;I managed to find &lt;a href=&quot;https://github.com/mozilla/django-csp&quot;&gt;a
  39 Django middleware for implementing CSP&lt;/a&gt; and was happy to discover
  40 it was already in Debian.  I plan to use it to add CSP support to the
  41 Frikanalen web site soon.&lt;/p&gt;
  42
  43 &lt;p&gt;As usual, if you use Bitcoin and want to show your support of my
  44 activities, please send Bitcoin donations to my address
  45 &lt;b&gt;&lt;a href=&quot;bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&quot;&gt;15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&lt;/a&gt;&lt;/b&gt;.&lt;/p&gt;
  46 </description>
  47         </item>
  48
  49         </channel>
  50 </rss>