W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: CSP Transition Tools

From: Yoav Weiss <yoav@yoav.ws>
Date: Fri, 17 Jan 2014 08:58:07 +0100
Message-ID: <CACj=BEjgOdsFjX-zmCZ8Mq4vkEuwxnADawDgAuAGwz9Sr0SHHw@mail.gmail.com>
To: Frederik Braun <fbraun@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Jan 15, 2014 at 10:25 AM, Frederik Braun <fbraun@mozilla.com> wrote:

> There was a very good bachelor's thesis at the Ruhr University of
> Bochum, in which the author also wrote a reverse proxy that collects
> inline items and generates external files for them (using a learning & a
> production mode).
>
> The tool is available at https://github.com/qll/autoCSP, and I can
> surely find the thesis PDF if this is interesting enough and I start
> some additional digging ;)
>
>
I was thinking about something (very) similar that would integrate into
current development frameworks (e.g. a Django/RoR app), and would add CSP
auto-magically. Rather than externalizing inlined scripts (which can cause
issues, at least in theory), such a plugin could use hashes/nonces to
enable all the scripts that are present in the initial templates.
Received on Friday, 17 January 2014 07:58:35 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC