The more policies I look at in the wild, the more convinced I am that we need to wrap up CSP3, then start over with something more straightforward, like https://mikewest.github.io/artur-yes/ .
-
-
Not asking for a free test, but I wonder what you think of the CSP on: https://portal.contact-associates.co.uk It’s even stricter when you enable DNT on your browser :-)
2 replies 0 retweets 0 likes -
Replying to @craigfrancis @mikewest
form action is likely to break something involving redirects, protocols are unnecessary, use a proxy solution for google analytics
2 replies 0 retweets 0 likes -
script-src on GA domains is still a bypass if you set 'unsafe-eval'.
2 replies 0 retweets 0 likes -
Replying to @arturjanc
I didn't question this but in retrospect, wat? Gadgets?
1 reply 0 retweets 0 likes -
Replying to @ndm
Integration with https://developers.google.com/tag-manager/devguide … which supports custom macros that get eval()ed after you include the attacker's container. Also: you do your own offensive research!!
2 replies 0 retweets 1 like -
Replying to @arturjanc
OT what's the likelihood of the internet moving towards data-* attributes over script tags that set data?
1 reply 0 retweets 0 likes
-
-
Replying to @arturjanc
RE: name the most trivial upon which you would die
0 replies 0 retweets 1 likeThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.