1 Title: Why is your site not using Content Security Policy / CSP?
2 Tags: english, web, standard
5 <p>Yesterday, I had the pleasure of watching on Frikanalen the OWASP
6 talk by Scott Helme titled
7 "<a href="https://frikanalen.no/video/626080/">What We’ve Learned From
8 Billions of Security Reports</a>". I had not heard of the
9 <a href="https://en.wikipedia.org/wiki/Content_Security_Policy">Content
10 Security Policy standard</a> nor its ability to "call home" when a
11 browser detect a policy breach (I do not follow web page design
12 development much these days), and found the talk very illuminating.</p>
14 <p>The mechanism allow a web site owner to use HTTP headers to tell
15 visitors web browser which sources (internal and external) are allowed to
16 be used on the web site. Thus it become possible to enforce a "only
17 local content" policy despite web designers urge to fetch programs
18 from random sites on the Internet, like the one
19 <a href="https://securityaffairs.co/wordpress/68966/hacking/browsealoud-plugin-hack.html">enabling
20 the attack</a> reported by Scott Helme earlier this year.</p>
22 <p>Using CSP seem like an obvious thing for a site admin to implement
23 to take some control over the information leak that occur when
24 external sources are used to render web pages, it is a mystery more
25 sites are not using CSP? It is being
26 <a href="https://www.w3.org/TR/CSP/">standardized under W3C</a> these
27 days, and is supposed by most web browsers</p>
29 <p>I managed to find <a href="https://github.com/mozilla/django-csp">a
30 Django middleware for implementing CSP</a> and was happy to discover
31 it was already in Debian. I plan to use it to add CSP support to the
32 Frikanalen web site soon.</p>
34 <p>As usual, if you use Bitcoin and want to show your support of my
35 activities, please send Bitcoin donations to my address
36 <b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p>
projects / homepage.git / blob