(attackanddefense.dev)

182 points evilpie | 1 comments | 09 Apr 25 09:34 UTC | HN request time: 0.242s | source

Show context

theandrewbailey ◴[09 Apr 25 11:13 UTC] No.43630873[source]▶

CSP is really great at plugging these kinds of security holes, but it flummoxes me that most developers and designers don't take them seriously enough to implement properly (styles must only be set though <link>, and JS likewise exists only in external files). Doing any styling or scripting inline should be frowned upon as hard as table-based layouts.

replies(6): >>43630934 #>>43631184 #>>43631253 #>>43632334 #>>43633733 #>>43635528 #

1. pocketarc ◴[09 Apr 25 11:21 UTC] No.43630934[source]▶

>>43630873 #

> should be frowned upon as hard as table-based layouts

I absolutely agree with you. I've been very very keen on CSP for a long time, it feels SO good to know that that vector for exploiting vulnerabilities is plugged.

One thing that's very noticeable: It seems to block/break -a lot- of web extensions. Basically every error I see in Sentry is of the form of "X.js blocked" or "random script eval blocked", stuff that's all extension-related.

↑

Hardening the Firefox Front End with Content Security Policies