6 articles and links tagged with “contentsecuritypolicy”
XSS (No, the _other_ 'S') - CSSConf EU 2013 Frontend Security - Frontend Conference, Zürich 2013
Last week, I was in Zürich to chat about client-side security. Here, I’ve wrapped up an annotated transcript, along with the slides and video. I’m pretty happy with how the talk turned out: I think it’s a good representation of what I think is important in frontend security, and worth your time to peruse.
Securing the Client Side
At the end of last year, I presented ‘Securing the Client Side’ at Devoxx, and I’ve been meaning to put together a more accessible version of the talk for those who weren’t there. I think the topics are important, and worth the effort of updating this site for the first time in a year. cough.
Content Security Policy: Feature Detection
AngularJS has recently implemented support for Content Security Policy that restricts the use of
new Function(), and other such text-to-JS conduits. This is a huge win, as CSP is one of the best protections modern browsers provide against XSS attacks. However, Angular’s implementation reveals a need for feature detection that the spec currently doesn’t address. This is my proposal for such an API.
Secure Chrome extensions: Content Security Policy
Based on the Content Security Policy primer I wrote last week, you should have a good idea of what CSP can offer a website developer. What might not be clear is that the policies can extend beyond HTTP, a bit more deeply into the browser. Chrome offers Content Security Policy support for extensions that substantially reduce the possibility of permission leakage; this article describes how it works, and how you can use it in your extensions.
Content Security Policy: A Primer
The web’s security model is fundamentally broken, and has been since the beginning. Content Security Policy is an upcoming feature of the web platform that promises to mitigate the risk of XSS attacks, and it’s worth starting to play with now.