Anyone know the technical details of how @WIRED collected, parsed and used their copious CSP violation reports?
-
-
:
@getsentry has some explicit matches to filter popular things out;@zeeg how's it working so far?pic.twitter.com/hafTYHdB9C
-
the major concern is CSP is a lot of stuff you don’t care about, but some you do. Errors are opposite.
-
Yes. + CSP reports are often for extension-added scripts and the report has no data to distinguish them from real bugs
End of conversation
New conversation -
-
-
What about using CSP violations to find bugs? eg discover 0day XSS in the wild from incoming reports
-
That was the goal but it's impossible in practice.
-
[shameless plug] https://blogs.dropbox.com/tech/2015/09/on-csp-reporting-and-filtering/ … will reduce the pain a bit but not fully
-
on fresh reading this is an interesting tidbit:pic.twitter.com/720SrA54tY
-
@zeeg feature request for Sentry CSP handling: an endpoint/registration setting where I include CSP policy hash out of band. -
If violation report's included policy does not hash to the same one, throw away/flag as noise.
-
makes sense. We could also just let you throw them away based on version of your app
End of conversation
New conversation -
-
-
The best approach is still to do your own testing in a clean browser (no extensions).
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.