Their feedback is very useful to us as we iterate on the specification and implementation of CSP. (Disclosure: I'm an editor of the CSP specification.)
I'm not sure if that introduces any additional attack vectors (other than somebody modifying the document in an unencrypted connection) but it's useful for when hosting statically.
Does a page's CSP break your extension in Chrome Canary? We've done quite a bit of work to allow extensions to transparently bypass a page's policy, and I'd much prefer to fix the bugs in Chrome than for you to kill a page's policy via the WebRequest API.
I'd very much appreciate it if you could point me at things that aren't working in Canary. :)
Its great to see a large site like GitHub start work on deploying CSP. I don't know how many times I've had to argue with people about bad practices like inline event handlers. With CSP there's a way for a site to prevent them from being used.
CSP is great stuff. I'm using it to view RSS/Atom posts without having to go through the usual hoop-jumping to sanitize content. Why sanitize content when it's unable to do anything evil in the context of a page?
I would recommend using some kind of test in your scripting to see if it's actually working. I purposely attempt to inject a <script> tag to fiddle with a variable. If it works, I know CSP isn't functional in the browser and avoid the dangerous stuff (rendering user-generated content). Otherwise, it's full speed ahead, detailed here: http://rachelbythebay.com/w/2011/10/31/csp/
12 comments
[ 3.7 ms ] story [ 35.3 ms ] threadEDIT: updated to mimic example in post
You can configure your webserver to add those headers, when hosting statically. There is no need to include it in all your pages.
nginx: add_header Content-Security-Policy "...";
Hope it help someone.
I'd very much appreciate it if you could point me at things that aren't working in Canary. :)
I would recommend using some kind of test in your scripting to see if it's actually working. I purposely attempt to inject a <script> tag to fiddle with a variable. If it works, I know CSP isn't functional in the browser and avoid the dangerous stuff (rendering user-generated content). Otherwise, it's full speed ahead, detailed here: http://rachelbythebay.com/w/2011/10/31/csp/