(attackanddefense.dev)

182 points evilpie | 1 comments | 09 Apr 25 09:34 UTC | HN request time: 0s | source

Show context

theandrewbailey ◴[09 Apr 25 11:13 UTC] No.43630873[source]▶

CSP is really great at plugging these kinds of security holes, but it flummoxes me that most developers and designers don't take them seriously enough to implement properly (styles must only be set though <link>, and JS likewise exists only in external files). Doing any styling or scripting inline should be frowned upon as hard as table-based layouts.

replies(6): >>43630934 #>>43631184 #>>43631253 #>>43632334 #>>43633733 #>>43635528 #

athanagor2 ◴[09 Apr 25 12:21 UTC] No.43631253[source]▶

>>43630873 #

Honest question: I don't understand how forbidding inline scripts and style improves security. Also it would be a serious inconvenience to the way we distribute some of our software right now lol

replies(4): >>43631299 #>>43631348 #>>43631357 #>>43633910 #

1. flir ◴[09 Apr 25 12:35 UTC] No.43631357[source]▶

>>43631253 #

Cross-Site Scripting. If a user injects a malicious script into the page, it doesn't get run.

↑

Hardening the Firefox Front End with Content Security Policies