Content Security Policy for Web App

dabura667 · June 23, 2018, 3:31pm

CSP security changes for the web browser vault:

remove ‘unsafe-inline’ for style-src and move any css to separate files.
add object-src ‘none’; to prevent extenstions from injecting embeds.
specify connect-src *; to be more specific… this is probably the worst of the three.

Wondering about connect-src * in particular… was it too much of a pain? (I know CSP is a pain in general)

This site is being run by the guy who runs haveibeenpwned and his friends. It’s got a great wizard that will catch reports including report-only header reports, and tell you how to make your CSP a lot more tailored.

bobanon · July 3, 2018, 3:32pm

Can you please rename this topic to be more specific (e.g. Content Security Policy for Web App)? This current name is far too broad.

dabura667 · July 7, 2018, 3:02pm

Interesting… an attacker could make their own google-analytics account and set a partially empty tag to set ea= and capture the proceeding HTML and send to the attacker…

man… so many ways to exfiltrate data.