From b297d1ffb8741616d862541971a681ea79504c4d Mon Sep 17 00:00:00 2001
From: Petter Reinholdtsen <pere@hungry.com>
Date: Sun, 9 Dec 2018 14:57:50 +0100
Subject: [PATCH] New post om CSP.

---
 blog/data/2018-12-09-csp-everywhere.txt | 36 +++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 blog/data/2018-12-09-csp-everywhere.txt
diff --git a/blog/data/2018-12-09-csp-everywhere.txt b/blog/data/2018-12-09-csp-everywhere.txt
new file mode 100644
index 0000000000..b94cbbadbb
--- /dev/null
+++ b/blog/data/2018-12-09-csp-everywhere.txt
@@ -0,0 +1,36 @@
+Title: Why is your site not using Content Security Policy / CSP?
+Tags: english, web, standard
+Date: 2018-12-09 15:00
+
+<p>Yesterday, I had the pleasure of watching on Frikanalen the OWASP
+talk by Scott Helme titled
+"<a href="https://frikanalen.no/video/626080/">What Weâve Learned From
+Billions of Security Reports</a>".  I had not heard of the
+<a href="https://en.wikipedia.org/wiki/Content_Security_Policy">Content
+Security Policy standard</a> nor its ability to "call home" when a
+browser detect a policy breach (I do not follow web page design
+development much these days), and found the talk very illuminating.</p>
+
+<p>The mechanism allow a web site owner to use HTTP headers to tell
+visitors web browser which sources (internal and external) are allowed to
+be used on the web site.  Thus it become possible to enforce a "only
+local content" policy despite web designers urge to fetch programs
+from random sites on the Internet, like the one
+<a href="https://securityaffairs.co/wordpress/68966/hacking/browsealoud-plugin-hack.html">enabling
+the attack</a> reported by Scott Helme earlier this year.</p>
+
+<p>Using CSP seem like an obvious thing for a site admin to implement
+to take some control over the information leak that occur when
+external sources are used to render web pages, it is a mystery more
+sites are not using CSP?  It is being
+<a href="https://www.w3.org/TR/CSP/">standardized under W3C</a> these
+days, and is supposed by most web browsers</p>
+
+<p>I managed to find <a href="https://github.com/mozilla/django-csp">a
+Django middleware for implementing CSP</a> and was happy to discover
+it was already in Debian.  I plan to use it to add CSP support to the
+Frikanalen web site soon.</p>
+
+<p>As usual, if you use Bitcoin and want to show your support of my
+activities, please send Bitcoin donations to my address
+<b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p>
-- 
2.47.2

