From: Petter Reinholdtsen Date: Sun, 9 Dec 2018 13:57:50 +0000 (+0100) Subject: New post om CSP. X-Git-Url: https://pere.pagekite.me/gitweb/homepage.git/commitdiff_plain/b297d1ffb8741616d862541971a681ea79504c4d New post om CSP. --- diff --git a/blog/data/2018-12-09-csp-everywhere.txt b/blog/data/2018-12-09-csp-everywhere.txt new file mode 100644 index 0000000000..b94cbbadbb --- /dev/null +++ b/blog/data/2018-12-09-csp-everywhere.txt @@ -0,0 +1,36 @@ +Title: Why is your site not using Content Security Policy / CSP? +Tags: english, web, standard +Date: 2018-12-09 15:00 + +

Yesterday, I had the pleasure of watching on Frikanalen the OWASP +talk by Scott Helme titled +"What We’ve Learned From +Billions of Security Reports". I had not heard of the +Content +Security Policy standard nor its ability to "call home" when a +browser detect a policy breach (I do not follow web page design +development much these days), and found the talk very illuminating.

+ +

The mechanism allow a web site owner to use HTTP headers to tell +visitors web browser which sources (internal and external) are allowed to +be used on the web site. Thus it become possible to enforce a "only +local content" policy despite web designers urge to fetch programs +from random sites on the Internet, like the one +enabling +the attack reported by Scott Helme earlier this year.

+ +

Using CSP seem like an obvious thing for a site admin to implement +to take some control over the information leak that occur when +external sources are used to render web pages, it is a mystery more +sites are not using CSP? It is being +standardized under W3C these +days, and is supposed by most web browsers

+ +

I managed to find a +Django middleware for implementing CSP and was happy to discover +it was already in Debian. I plan to use it to add CSP support to the +Frikanalen web site soon.

+ +

As usual, if you use Bitcoin and want to show your support of my +activities, please send Bitcoin donations to my address +15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b.