Twitter | Pretraživanje | |
Mike West
is a thought experiment: what if we broke CSP in half, removed some esoteric options, and built policy primitives that specifically targeted XSS on the one hand, and resource confinement on the other?
A Modest Content Security Proposal. Contribute to mikewest/csp-next development by creating an account on GitHub.
GitHub GitHub @github
Reply Retweet Označi sa "sviđa mi se" More
Mike West 15. srp
Odgovor korisniku/ci @mikewest
A hypothetical `Scripting-Policy: nonce="number-used-once-goes-here"` could be substantially more focused, and simpler for developers to understand and deploy. A similarly speculative `Confinement-Policy` could deal only with Fetch, likewise providing clarity.
Reply Retweet Označi sa "sviđa mi se"
Mike West 15. srp
Odgovor korisniku/ci @arturjanc @we1x @mikispag
I'm not actually convinced this is worth us collectively spending time on (CSP _exists_, after all, and there are pressing problems), but some conversation with clever folks like , , and makes it clear that this is at least worth discussing a bit. WDYT?
Reply Retweet Označi sa "sviđa mi se"
Mike West 15. srp
Odgovor korisniku/ci @arturjanc @we1x @mikispag
(Also, this was just a fun way to procrastinate a bit on the 17 other things I'm supposed to be doing this week. 😭)
Reply Retweet Označi sa "sviđa mi se"
Lukasz Olejnik 15. srp
Odgovor korisniku/ci @mikewest
"ARTUR is a silly suggestion that is obviously a bad idea as specified". I see what you did there. You thought of it from the very beginning didn't you?
Reply Retweet Označi sa "sviđa mi se"
Mike West 15. srp
Odgovor korisniku/ci @lukOlejnik
This has been in the back of several people's heads for years. I don't think the direction would be a surprise to anyone who's been paying attention to various conversations in WebAppSec. :)
Reply Retweet Označi sa "sviđa mi se"
Rhy Moore 15. srp
Odgovor korisniku/ci @mikewest @dalmaer
What if we added specific sanitization APIs to the DOM? Literally every time I have to go look into what a new framework or library is doing under the hood for that or try to find a standalone library for it, I wish wistfully for this.
Reply Retweet Označi sa "sviđa mi se"
Mike West 15. srp
Odgovor korisniku/ci @morewry @dalmaer i 2 ostali
and were looking into that. It just hasn’t bubbled up anyone’s list far enough to spend the time on it that’s necessary.
Reply Retweet Označi sa "sviđa mi se"
Craig Francis 15. srp
Odgovor korisniku/ci @mikewest
I like the Scripting-Policy part, which gives a good focus on XSS (and should be where most website developers start); but Resource Confinement is probably more powerful with the current CSP syntax (maybe with some bits deprecated).
Reply Retweet Označi sa "sviđa mi se"