Re: CSP Transition Tools

On Monday 13 January 2014 22:26:23 Garrett Robinson wrote:
> Hey webappsec!
> 
> I'm working on encouraging some large site operators to transition to
> using CSP. As we know, the process of transitioning is not easy,
> especially on large, established sites with lots of inline code. I want
> to give them some advice about techniques and tools they can use to make
> this process easier.
> 
> If you've transitioned a site (especially a large and/or complex one) to
> use CSP, please consider sharing your process, tools, and any lessons
> learned! I'd love to build an inventory that we could maybe turn into a
> document to help site operators transition.
> 
> -Garrett

I wasn't intending to post this here, but since the practical implementation 
of CSP is being discussed...

http://labs.portcullis.co.uk/tools/cspcalculator/ is a PoC that I developed 
which I am intending to maintain. It was originally developed to help a 
client's UX team implement their responsive UI whilst employing CSP. The 
project itself was a large e-commerce site that was being written from scratch 
- we were doing the SDL, but I think the idea may have wider interest.

Where possible cspCalculator will use client side JS will calculate 
appropriate policies based on a DOM-based analysis of the content. This can be 
improved. The PoC uses cookies to pass the defined policy back to the stub 
(since this has least potential impact on a sites other functions). It should 
be noted that it is not intended that cspCalculator would be deployed in 
production - it is a development tool only.

I am intending to add support for the nonce / hashing properties of CSP once 
these are fully fleshed out. I would also welcome integration into some of the 
more common development frameworks and/or example stubs written for other 
languages. We will be doing some of the heavy lifting, but I am very open to 
accepting patches too.

Tim
-- 
Tim Brown
<mailto:tmb@65535.com>