These are chat archives for jdubray/sam

7th
Jan 2018
david kaye
@dfkaye_twitter
Jan 07 2018 07:07
@jdubray The post focuses a lot on CSP corners few seem to get right because CSP still isn't well supported in I.E./Edge (far as I can tell).
To be well protected you have use at least 6 or 7 directives to keep xss out and even then strict-dynamic doesn't guarantee protection against malicious/incompetent JavaScript requests.
I played with it all afternoon and I've barely covered the happy paths
david kaye
@dfkaye_twitter
Jan 07 2018 07:12
By happy paths I mean all cross-browser happy paths. Firefox works better than expected while Chrome has a couple surprises.
Would be great to get one canonical and safe CSP configuration for JS so we can use Function() and eval() without fear again. Will post something once I get there. (Could take a while so stay busy with other things until then.) :)
Jean-Jacques Dubray
@jdubray
Jan 07 2018 10:27
@dfkaye_twitter We would need an inverted CORS (limiting the domains a client can call) to be able to block this kind of attack.
It looks like CSP supports connect-src already