Sponsored by:

CSP

A 5-post collection

How Chrome's buggy content security policy implementation cost me money

Content security policies (CSPs) can be both a blessing and a curse. A blessing because they can do neat stuff like my recent piece on upgrading insecure requests yet a curse because they can also do screwy things like break your site. Now in fairness, the breaking bit linked to there was more because of Safari's screwy implementation than because of the CSP spec itself, but that brings me to today's post on yet another screwy browser implementation of CSP. This time, it's Chrome's turn and it didn't just cause content to be blocked, it actually cost me money. Let me explain. I have a donate page on Have I been pwned (HIBP). I honestly didn't expect people to give...

Disqus' mixed content problem and fixing it with a CSP

I write a blog with a lot of security things on it so understandably, it upsets me somewhat when my site throws security warnings: I'd had a number of people report this and indeed I'd seen it myself, albeit transiently. Diving into the console, I found the source of the problem: Who the hell is Circulate?! And what are they doing in my blog? Let's find out: Right... I don't have any ads on my blog these days (just sponsor messages) so there shouldn't be any third-party monetisation going on. However, what I'd noticed about this issue is that it always seemed to occur when loading Disqus comments and certainly they do some ad things, albeit ad things that I'd...

Understanding CSP, the video tutorial edition

A couple of months ago I did a video titled Understanding CSRF, the video tutorial edition which was a pretty raw run through of the mechanics and defences of cross site request forgery. It's content I often show in my workshops and I recorded the video pretty much as I present it in those sessions. Today I thought I'd do one on content security policies or as we otherwise know it, CSP. This is a response header that tells the browser a number of things about what it can and can't do once it loads up a website and it's a really neat additional defence against risks such as cross site scripting. When you watch the video, you'll see how...

How to break your site with a content security policy: an illustrated example

I’m a big proponent of the content security policy paradigm (CSP) supported by modern browsers. In fact I’m so keen on them I even wrote a Pluralsight course: Introduction to Browser Security Headers. (Sidenote: I’m enormously happy with how well this course has been received, seems there’s an appetite for securing our things after all!) Now if you’re not sure what all the fuss is about, have a quick read of my launch blog post for the course. This gives a pretty good overview of why CSP (among other headers) is awesome. Writing all this content about how the headers work should mean I know what I’m doing...

Introducing you to browser security headers on Pluralsight

I’ve been doing this fantastic demo about browser security headers in a lot of my recent talks and workshops. It’s always a lot of fun and it’s very interactive – you can try this out for yourself right now – and it works like this: So cross site scripting (XSS) is still a big thing. Yes it’s been around for ages and yes we should be on top of it by now, but here we are. Anyway, I was at the AppSecEU conference in the Netherlands a few months ago and a local guy called Breno de Winter did a fantastic talk in which he illustrated the prevalence of XSS by showing...