- From: Yoav Weiss <yoav@yoav.ws>
- Date: Fri, 17 Jan 2014 08:58:07 +0100
- To: Frederik Braun <fbraun@mozilla.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Friday, 17 January 2014 07:58:35 UTC
On Wed, Jan 15, 2014 at 10:25 AM, Frederik Braun <fbraun@mozilla.com> wrote: > There was a very good bachelor's thesis at the Ruhr University of > Bochum, in which the author also wrote a reverse proxy that collects > inline items and generates external files for them (using a learning & a > production mode). > > The tool is available at https://github.com/qll/autoCSP, and I can > surely find the thesis PDF if this is interesting enough and I start > some additional digging ;) > > I was thinking about something (very) similar that would integrate into current development frameworks (e.g. a Django/RoR app), and would add CSP auto-magically. Rather than externalizing inlined scripts (which can cause issues, at least in theory), such a plugin could use hashes/nonces to enable all the scripts that are present in the initial templates.
Received on Friday, 17 January 2014 07:58:35 UTC