Hardening the Firefox Front End with Content Security Policies

(attackanddefense.dev)

182 points evilpie | 1 comments | 09 Apr 25 09:34 UTC | HN request time: 0s | source

Show context

theandrewbailey ◴[09 Apr 25 11:13 UTC] No.43630873[source]▶

CSP is really great at plugging these kinds of security holes, but it flummoxes me that most developers and designers don't take them seriously enough to implement properly (styles must only be set though <link>, and JS likewise exists only in external files). Doing any styling or scripting inline should be frowned upon as hard as table-based layouts.

replies(6): >>43630934 #>>43631184 #>>43631253 #>>43632334 #>>43633733 #>>43635528 #

athanagor2 ◴[09 Apr 25 12:21 UTC] No.43631253[source]▶

>>43630873 #

Honest question: I don't understand how forbidding inline scripts and style improves security. Also it would be a serious inconvenience to the way we distribute some of our software right now lol

replies(4): >>43631299 #>>43631348 #>>43631357 #>>43633910 #

theandrewbailey ◴[09 Apr 25 12:28 UTC] No.43631299[source]▶

>>43631253 #

CSP tells the browser where scripts and styles can come from (not just inline, but origins/domains, too). Let's pretend that an attacker can inject something into a page directly (like a SQL injection, but HTML). That script can do just about anything, like steal data from any form on the page, like login, address, or payments, or substitute your elements for theirs. If inline resources are forbidden, the damage can be limited or stopped.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP

replies(1): >>43631729 #

1. magicalhippo ◴[09 Apr 25 13:17 UTC] No.43631729{3}[source]▶

>>43631299 #

Still recall the classic forum exploits of including Javascript in your signature or similar, before such software started escaping input.

↑