Re: CSP tools and documentation

On Tue, Sep 27, 2016 at 12:08 PM, Craig Francis <craig.francis@gmail.com>
wrote:

> Hi Arthur,
>
> Is it worth talking to Lucas Garron on the Google Chrome team to see if
> your csp-evaluator could be added to the Security tab of the Dev Tools?
>
> Must confess I've been wanting something like this for a while:
> https://craigfrancis.github.io/dev-security/#csp
>

I like this idea, let me see if something like this would work. FWIW we
briefly considered this in the past, but one of the challenges is that
results from the CSP-Evaluator are based on information that can't be
gleaned from the policy string itself -- we need to know which domains have
patterns which allow CSP to be bypassed so we can detect which script-src
entries are unsafe. This is by nature imperfect, because such patterns can
change as developers refactor their applications, and since the
recommendations in Chrome are more authoritative than in our tool, there's
less margin for error. But perhaps there's a way to do this...


>
> :-)
>
> Craig
>
>
>
> On 26 Sep 2016, at 23:40, Artur Janc <aaj@google.com> wrote:
>
> Hi all,
>
> At the last call there was some interest in tools to evaluate the security
> of CSP policies; we've just released several of the utilities we use
> internally, so I figured they might be useful to someone:
>
> - https://csp-evaluator.withgoogle.com - A tool to check CSP strength and
> find whitelist bypasses
> - https://chrome.google.com/webstore/detail/csp-mitigator/
> gijlobangojajlbodabkpjpheeeokhfa - Chrome extension to check if an
> application is compatible with a given CSP (it generates spiffy reports,
> too!)
> - https://csp.withgoogle.com - Our "developer education" site explaining
> how to adopt nonce-based CSP policies, including sample code and policies.
>
> I'm happy to accept bug reports and feature requests off-list ;-)
>
> Cheers,
> -Artur
>
>
>