W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2016

CSP tools and documentation

From: Artur Janc <aaj@google.com>
Date: Mon, 26 Sep 2016 23:40:30 +0100
Message-ID: <CAPYVjqr=fbHX-FUJ=tEPGuVp7uWWutKtvRcapZ9TZW03JnaH0A@mail.gmail.com>
To: WebAppSec WG <public-webappsec@w3.org>
Hi all,

At the last call there was some interest in tools to evaluate the security
of CSP policies; we've just released several of the utilities we use
internally, so I figured they might be useful to someone:

- https://csp-evaluator.withgoogle.com - A tool to check CSP strength and
find whitelist bypasses
- Chrome extension to check if an application is compatible with a given
CSP (it generates spiffy reports, too!)
- https://csp.withgoogle.com - Our "developer education" site explaining
how to adopt nonce-based CSP policies, including sample code and policies.

I'm happy to accept bug reports and feature requests off-list ;-)

Received on Monday, 26 September 2016 22:41:19 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:57 UTC