Content Security Policy for Web App

CSP security changes for the web browser vault:

  1. remove ‘unsafe-inline’ for style-src and move any css to separate files.
  2. add object-src ‘none’; to prevent extenstions from injecting embeds.
  3. specify connect-src *; to be more specific… this is probably the worst of the three.

Wondering about connect-src * in particular… was it too much of a pain? (I know CSP is a pain in general)

This site is being run by the guy who runs haveibeenpwned and his friends. It’s got a great wizard that will catch reports including report-only header reports, and tell you how to make your CSP a lot more tailored.

Can you please rename this topic to be more specific (e.g. Content Security Policy for Web App)? This current name is far too broad.

1 Like

Interesting… an attacker could make their own google-analytics account and set a partially empty tag to set ea= and capture the proceeding HTML and send to the attacker…

man… so many ways to exfiltrate data.