Hardening the Firefox Front End with Content Security Policies

(attackanddefense.dev)

182 points evilpie | 1 comments | 09 Apr 25 09:34 UTC | HN request time: 0s | source

Show context

SebFender ◴[09 Apr 25 11:38 UTC] No.43631014[source]▶

CSP is a soothing cream but is most usually easily bypassed by other simple attacks relying on poor DOM management and security - to this day my team has never found so many web vulnerabilities just going into the DOM...

replies(1): >>43631204 #

sixaddyffe2481 ◴[09 Apr 25 12:11 UTC] No.43631204[source]▶

>>43631014 #

Their blog has a lot of posts on trying to attack Firefox. If it's so simple, why are you not in the bug bounty hall of fame? :)

replies(2): >>43639666 #>>43640632 #

1. h4ck_th3_pl4n3t ◴[10 Apr 25 04:32 UTC] No.43640632[source]▶

>>43631204 #

The problem with CSP is that it's fixing the effect, not the cause.

It is also made in a way that it is optional (never break the web mentality), so what happens in practice is the same as with CORS: allow all, because web devs don't understand what to do, and don't have time to read the RFC.

For example: try getting a web page to run that uses a web assembly binary _and_ an external JS library. Come back after 2 weeks of debugging and let me know what your experience was like, and why you eventually gave up on it.

↑