Re: cspBuilder Wizard

Don't know why I didn't see this sooner.

I developed a tool to help generate a CSP policy using a python proxy to
intercept and parse csp reports. I plan on demo'ing it at Defcon this year,
but if anyone is interested in receiving a copy of the tool in advance,
please let me know.

Also--I thought CSP 1.0 forbid submitting reports to an endpoint that
wasn't the same host, port, scheme as the host?


On Thu, May 23, 2013 at 12:41 PM, Daniel Veditz <dveditz@mozilla.com> wrote:

> Ran across an interesting service/experiment, a 3rd party cspBuilder
> wizard. You run your site with a locked-down report-only policy sending
> your reports to this guy's server and he builds a CSP policy for you.
>
> http://ipsec.pl/node/1108  (blog)
> http://cspbuilder.info/    (tool)
>
> You certainly wouldn't want to take the results uncritically--what if a
> visitor is trying to poison the results while you're running the tool? I'd
> also be uncomfortable reporting all my traffic to some unknown 3rd party,
> but an open-source tool to do this that people could install on their own
> report server could be helpful.
>
> -Dan Veditz
>
>

Received on Tuesday, 18 June 2013 07:21:10 UTC