Re: cspBuilder Wizard from Ken Lee on 2013-06-17 (public-webappsec@w3.org from June 2013)

From: Ken Lee <kennysan@gmail.com>
Date: Mon, 17 Jun 2013 12:30:14 -0400
To: Daniel Veditz <dveditz@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CABnyH-Zm6MSOn-e8hq=eKOnxZyvGjOX9T89OfbJnSBHJpZqTbA@mail.gmail.com>

Don't know why I didn't see this sooner.

I developed a tool to help generate a CSP policy using a python proxy to
intercept and parse csp reports. I plan on demo'ing it at Defcon this year,
but if anyone is interested in receiving a copy of the tool in advance,
please let me know.

Also--I thought CSP 1.0 forbid submitting reports to an endpoint that
wasn't the same host, port, scheme as the host?

On Thu, May 23, 2013 at 12:41 PM, Daniel Veditz <dveditz@mozilla.com> wrote:

> Ran across an interesting service/experiment, a 3rd party cspBuilder
> wizard. You run your site with a locked-down report-only policy sending
> your reports to this guy's server and he builds a CSP policy for you.
>
> http://ipsec.pl/node/1108  (blog)
> http://cspbuilder.info/    (tool)
>
> You certainly wouldn't want to take the results uncritically--what if a
> visitor is trying to poison the results while you're running the tool? I'd
> also be uncomfortable reporting all my traffic to some unknown 3rd party,
> but an open-source tool to do this that people could install on their own
> report server could be helpful.
>
> -Dan Veditz
>
>

Received on Tuesday, 18 June 2013 07:21:10 UTC