- From: Ken Lee <kennysan@gmail.com>
- Date: Mon, 17 Jun 2013 12:30:14 -0400
- To: Daniel Veditz <dveditz@mozilla.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Tuesday, 18 June 2013 07:21:10 UTC
Don't know why I didn't see this sooner. I developed a tool to help generate a CSP policy using a python proxy to intercept and parse csp reports. I plan on demo'ing it at Defcon this year, but if anyone is interested in receiving a copy of the tool in advance, please let me know. Also--I thought CSP 1.0 forbid submitting reports to an endpoint that wasn't the same host, port, scheme as the host? On Thu, May 23, 2013 at 12:41 PM, Daniel Veditz <dveditz@mozilla.com> wrote: > Ran across an interesting service/experiment, a 3rd party cspBuilder > wizard. You run your site with a locked-down report-only policy sending > your reports to this guy's server and he builds a CSP policy for you. > > http://ipsec.pl/node/1108 (blog) > http://cspbuilder.info/ (tool) > > You certainly wouldn't want to take the results uncritically--what if a > visitor is trying to poison the results while you're running the tool? I'd > also be uncomfortable reporting all my traffic to some unknown 3rd party, > but an open-source tool to do this that people could install on their own > report server could be helpful. > > -Dan Veditz > >
Received on Tuesday, 18 June 2013 07:21:10 UTC