HTML injection != arbitrary JS running…which was what was the basis of the original discussion.
-
-
Replying to @patricktoomey @mattaustin and
Sure but the things that the CSP Analyzer is looking at are checking the same thing (restrictive default-src, setting form-action, etc.) regardless. Doing it for the wrong reason still protects you regardless of the motivations.
1 reply 0 retweets 2 likes -
Replying to @aprilmpls @mattaustin and
Yeah..but you don’t want to overpraise on what it does..people might then get burned and be like “uh..yeah..guess this was useless”. This would have been totally fine if framed as a defense in depth against a different attack/example.
2 replies 0 retweets 3 likes -
Replying to @patricktoomey @mattaustin and
We'll have to disagree about the risk/reward balance of confusion about what it can do vs. motivating people to do the right thing (even for the wrong reason). Aside from SQLi the biggest risk of data exfiltration comes from XSS, which putting in the leg work protects against.
1 reply 0 retweets 1 like -
Replying to @aprilmpls @mattaustin and
But the starting point here is “JS is executing”…we didn’t protect against arbitrary JS running in this scenario.
1 reply 0 retweets 1 like -
Replying to @patricktoomey @mattaustin and
My point is that it doesn't matter what their motivation is. People putting in good work to protect against a scenario that is unlikely to happen but nevertheless goes an incredible distance to project them against XSS and content injections? I'll be sleeping well at night.
1 reply 0 retweets 1 like -
Replying to @aprilmpls @mattaustin and
Yeah..I’m all about good advertising. But this could be done in a way that uses examples that are accurate. Trying to convey CSP as a cure-all for malicious code checked into a JS dependency hurts more than helps (I think).
1 reply 0 retweets 0 likes -
Replying to @patricktoomey @mattaustin and
You certainly might be right, but in my experience motivating people is 99.9% of the battle. It's why sites like SSL Labs and the Observatory exist – they get people to do drudge work by being a little bit hyperbolic about the risks that sites face.
2 replies 0 retweets 1 like -
Replying to @aprilmpls @mattaustin and
Using the example of
@slekies ..what if someone wrote up an article on the benefits fo ASLR for attacks that already have root. It Maybe someone will then use ASLR..but the underlying discussions isn’t based in truth/science/etc.1 reply 0 retweets 0 likes -
Replying to @patricktoomey @mattaustin and
Except in this case it actually _does_ protect against data exfiltration, but only from XSS and HTML injections. :)
2 replies 0 retweets 1 like
Currently, CSP may protect against exfiltration only if an attacker cannot convert an HTML injection bug into executing their evil JS. The role of CSP is to prevent evil script execution in the first place, it doesn't help once the attacker's code has run.
-
-
Replying to @arturjanc @patricktoomey and
Sure but that’s the first step (killing unsafe inline) and that’s covered by what the analyzer looks at as well. :)
1 reply 0 retweets 1 like -
Replying to @aprilmpls @patricktoomey and
I think we violently agree about the importance of CSP and evangelism =) The only sticking point here is that the specific use case for CSP outlined in the quoted post is dubious at best. I'd rather win hearts & minds with the real strength of CSP, i.e. defense-in-depth for XSS.
0 replies 0 retweets 8 likes
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.