The @Mozilla Observatory’s CSP Analyzer checks your policy to confirm that you’re setting the proper directives to prevent data exfiltration. Don’t let this happen to you!https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5 …
-
-
CSP is terrible at blocking exfiltration _in the specific case_. But in a generic case with CSP reports, it greatly increases their chances of getting blocked (and thus hopefully detected).
-
I think
@slekies' point is that a real attacker can use one of the mechanisms which aren't subject to CSP to send out data, and which wouldn't generate any reports. We can attempt to lock these down, but 1) it's hard, 2) it's difficult to enable such restrictions in real apps. -
That is completely fair and true but nevertheless I still think it’s worthwhile evangelizing even a poor protection if it pushes people to implementing strong and restrictive CSP policies.
-
Sadly people don’t believe in defense in depth, and lean towards the “if it does not solve everything it solves nothing” approach.
-
A difference between defense in depth and false security. A firewall and server-side code sandboxing are defense in depth..they handle orthogonal issues. That is different than conveying that something mitigates (even a little bit) something that it does not.
-
I see policies that limit external access to unintended 3rd parties as a defense. Granted not perfect...
-
It is fine so long as it actually addresses a concern one can define. The thing here is that we are talking about exfiltration and it does not address that at all (there is no situation..however contrived..where we can’t exfil using some other way).
-
CSP may not be intended to work in the face of an RCE but what is the purpose of form-action besides limiting data exfiltration from an HTML injection? I guess it can keep you from accidentally making a form that submits via http?
- 13 more replies
New conversation -
-
-
There's value in locking down the sources of resources which can be loaded in an app, but this mostly serves to prevent programmer mistakes (loading scripts from an untrusted source); it doesn't stop an attacker who can already execute scripts.
-
This has been a great win for us to be able to mintor any accidental external script addition attempts. We monitor one file containing our CSP policy and are then able to audit all changes.
End of conversation
New conversation -
-
-
This is one reason we would eventually like to move toward proxying google analytics and sending data directly using the server-side measurement protocol. But not to protect against injected JS.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.