W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: CSP Transition Tools

From: Ken Lee <kennysan@gmail.com>
Date: Tue, 14 Jan 2014 17:09:34 -0500
Message-ID: <CABnyH-YKyqyRKCcodWN9z+RPW=69yidY=LSymNh=zz65RAgDPQ@mail.gmail.com>
To: Taras Ivashchenko <oxdef@yandex-team.ru>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Garrett Robinson <grobinson@mozilla.com>
Hi Garrett,

You know this already, but for other interested parties, I made a
couple tools for generating a CSP called CSPTools last year and gave a
preso on it at Defcon last year:

https://github.com/Kennysan/CSPTools

http://www.youtube.com/watch?v=BEsEIV8v2fQ

I'm currently working on revamping the proxy and the parsing tools to
be more robust.

-Ken

On Tue, Jan 14, 2014 at 3:37 AM, Taras Ivashchenko <oxdef@yandex-team.ru> wrote:
> Hi, Garrett!
>
> We shared our case study at  OWASP AppSec EU 2013, so you can watch it on
> YouTube: "Content Security Policy - the panacea for XSS or placebo?"
> http://www.youtube.com/watch?v=-7jLU-eO6XA
>
> We also shared our CSP related tools:
>
> * CSP Tester - This extension helps web masters to test web application
> behavior with Content Security Policy (CSP) ver. 1.0 implemented.,
> https://www.oxdef.info/csp-tester
> * CSP Reporter - In a nutshell it is a parser for CSP (Content Security
> Policy) reports. Main purpose is to create easy to read and understand report
> from big size logs. https://www.oxdef.info/csp-reporter
>
> В письме от 13 января 2014 14:26:23 пользователь Garrett Robinson написал:
>> Hey webappsec!
>>
>> I'm working on encouraging some large site operators to transition to
>> using CSP. As we know, the process of transitioning is not easy,
>> especially on large, established sites with lots of inline code. I want
>> to give them some advice about techniques and tools they can use to make
>> this process easier.
>>
>> If you've transitioned a site (especially a large and/or complex one) to
>> use CSP, please consider sharing your process, tools, and any lessons
>> learned! I'd love to build an inventory that we could maybe turn into a
>> document to help site operators transition.
>>
>> -Garrett
>
> --
> Taras Ivashchenko
> Information Security Administrator,
> Yandex
>
>
Received on Tuesday, 14 January 2014 22:10:22 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC