--- /dev/null
+Title: Why is your site not using Content Security Policy / CSP?
+Tags: english, web, standard
+Date: 2018-12-09 15:00
+
+<p>Yesterday, I had the pleasure of watching on Frikanalen the OWASP
+talk by Scott Helme titled
+"<a href="https://frikanalen.no/video/626080/">What We’ve Learned From
+Billions of Security Reports</a>". I had not heard of the
+<a href="https://en.wikipedia.org/wiki/Content_Security_Policy">Content
+Security Policy standard</a> nor its ability to "call home" when a
+browser detect a policy breach (I do not follow web page design
+development much these days), and found the talk very illuminating.</p>
+
+<p>The mechanism allow a web site owner to use HTTP headers to tell
+visitors web browser which sources (internal and external) are allowed to
+be used on the web site. Thus it become possible to enforce a "only
+local content" policy despite web designers urge to fetch programs
+from random sites on the Internet, like the one
+<a href="https://securityaffairs.co/wordpress/68966/hacking/browsealoud-plugin-hack.html">enabling
+the attack</a> reported by Scott Helme earlier this year.</p>
+
+<p>Using CSP seem like an obvious thing for a site admin to implement
+to take some control over the information leak that occur when
+external sources are used to render web pages, it is a mystery more
+sites are not using CSP? It is being
+<a href="https://www.w3.org/TR/CSP/">standardized under W3C</a> these
+days, and is supposed by most web browsers</p>
+
+<p>I managed to find <a href="https://github.com/mozilla/django-csp">a
+Django middleware for implementing CSP</a> and was happy to discover
+it was already in Debian. I plan to use it to add CSP support to the
+Frikanalen web site soon.</p>
+
+<p>As usual, if you use Bitcoin and want to show your support of my
+activities, please send Bitcoin donations to my address
+<b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p>
projects / homepage.git / commitdiff