W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2016

Re: CSP tools and documentation

From: Craig Francis <craig.francis@gmail.com>
Date: Tue, 27 Sep 2016 12:08:00 +0100
Cc: WebAppSec WG <public-webappsec@w3.org>
Message-Id: <4DCD5D7B-3A66-4B33-A9A4-C15E83511FC5@gmail.com>
To: Artur Janc <aaj@google.com>
Hi Arthur,

Is it worth talking to Lucas Garron on the Google Chrome team to see if your csp-evaluator could be added to the Security tab of the Dev Tools?

Must confess I've been wanting something like this for a while: https://craigfrancis.github.io/dev-security/#csp <https://craigfrancis.github.io/dev-security/#csp>

:-)

Craig



> On 26 Sep 2016, at 23:40, Artur Janc <aaj@google.com> wrote:
> 
> Hi all,
> 
> At the last call there was some interest in tools to evaluate the security of CSP policies; we've just released several of the utilities we use internally, so I figured they might be useful to someone:
> 
> - https://csp-evaluator.withgoogle.com <https://csp-evaluator.withgoogle.com/> - A tool to check CSP strength and find whitelist bypasses 
> - https://chrome.google.com/webstore/detail/csp-mitigator/gijlobangojajlbodabkpjpheeeokhfa <https://chrome.google.com/webstore/detail/csp-mitigator/gijlobangojajlbodabkpjpheeeokhfa> - Chrome extension to check if an application is compatible with a given CSP (it generates spiffy reports, too!)
> - https://csp.withgoogle.com <https://csp.withgoogle.com/> - Our "developer education" site explaining how to adopt nonce-based CSP policies, including sample code and policies.
> 
> I'm happy to accept bug reports and feature requests off-list ;-)
> 
> Cheers,
> -Artur


Received on Tuesday, 27 September 2016 11:08:32 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:57 UTC