![]() In this presentation I'll highlight the major roadblocks that make CSP deployment difficult, common mistakes, talk about how we automatically bypassed the CSP of more than 95% of ~1.6 Million domains, e.g., by showing how easy it is to defeat the whitelist-based model with some juicy bypasses, thanks to JSONP endpoints for example, by abusing a CDN and loading outdated versions of AngularJS.įinally, I present a radically new way of doing CSP in a simpler, easier to maintain and more secure way based on nonces and making use of a new feature we contributed to CSP3. ![]() It is supported by most modern browsers, and it already is at its third iteration - yet, adoption in the web is struggling. ![]() Content Security Policy (CSP) is a defense-in-depth mechanism to restrict resources that can be loaded, embedded and executed in a web application, significantly reducing the risk and impact of injections. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |