SlideShare a Scribd company logo

Content Security Policy featuring ember.js

Ryan LaBouve
Ryan LaBouve

A look at content security policy (with examples in Emberjs)

Technology
1 of 43
Download to read offline
Content Security Policy featuring ember.js
WHOAMI Ryan LaBouve (@ryanlabouve)
HOLYARCHERS
RyanLaBouve.com
Thinking about a new side-project
Fire up `ember new`
(wait on NPM and Bower)
`ember serve`
Sparkling new project!
But wait!?!?
ENTER CSP Content-Security-Policy: ‘take-that.xss’
What is Content Security Policy?
XSS Mitigation Strategy using a whitelist based approach.
What is XSS? people trying to execute malicious (usually?) javascripts on your page.
How CSP helps? deliver policy via http header with information about what is allowed to execute on your site.
When we request a webpage, we get a response that has a header and a body CSP in the wild
Response body (has the html/css/js)
Response Header has (various meta-data)
CSP in the wild
How to implement and customize CSP
Series of Directives
default-src script-src*** object-src style-src img-src media-src frame-src font-src connect-src (script-src key directive for blocking scripting)
Each attached to HTML elements
script-src <script> object-src <object>, <embed> style-src <link rel=“stylesheet”>, <style> img-src <img>, images in css media-src <audio>, <video> frame-src <iframe>, <frame> font-src @font-face connect-src XMLHttpRequest, JS APIs
self none * unsafe-inline unsafe-eval example.url.com Values to Describe Policy
Space delimited sources to match http header syntax semi colon end of line About the Values
self Anything you’re including locally
unsafe-inline Anything happening by your content Better to “separate code and data” This includes inline event handlers
unsafe-eval setTimeout eval not as big a deal as unsafe inline
Custom Templates Not executing. No problem.
Other Values *— Anything Goes none— Nothing Goes url— can specify ports, protocols, wildcards, etc http://content-security-policy.com/
A few quick examples:
Serve nothing at all
Serve everything ever
Only serve local assets … a good starting spot
Build up slowly as needed
Focus on script-src …especially if you’re worried mostly about XSS
mitigate XSS …a more complete plan * move inline script out-of-line * remove inline event handlers * Remove use of eval and friends (not as big) * Add the script-src directive
Report only, callback url, block Options for Enforcing
Wanna try it out? Try report only mode and tweak as you go
Browser Compatibility Issues
Resources http://www.html5rocks.com/en/tutorials/security/content- security-policy/ https://developer.chrome.com/extensions/contentSecurityPolicy http://en.wikipedia.org/wiki/Content_Security_Policy https://www.youtube.com/watch?v=pocsv39pNXA https://blog.justinbull.ca/ember-cli-and-content-security-policy- csp/

Recommended

Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security PolicyMarkus Wichmann
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeScott Helme
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Web content security policies
Web content security policiesWeb content security policies
Web content security policiesDhanu Gupta
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographySamsung Open Source Group
 

Recommended

Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyKsenia Peguero
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security PolicyMarkus Wichmann
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeScott Helme
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Web content security policies
Web content security policiesWeb content security policies
Web content security policiesDhanu Gupta
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographySamsung Open Source Group
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyAustin Gil
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Francois Marier
 
Http security response headers
Http security response headers Http security response headers
Http security response headers mohammadhosseinrouha
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudJavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudArun Gupta
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS ApplicationPhilippe De Ryck
 
Drupal Security for Coders and Themers - XSS and CSRF
Drupal Security for Coders and Themers - XSS and CSRF Drupal Security for Coders and Themers - XSS and CSRF
Drupal Security for Coders and Themers - XSS and CSRF knaddison
 
Web vulnerabilities
Web vulnerabilitiesWeb vulnerabilities
Web vulnerabilitiesOleksandr Kovalchuk
 
Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)Arun Kumar
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Lets exploit Injection and XSS
Lets exploit Injection and XSSLets exploit Injection and XSS
Lets exploit Injection and XSSlethalduck
 
Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)Philippe De Ryck
 
VolgaCTF 2018 - Neatly bypassing CSP
VolgaCTF 2018 - Neatly bypassing CSPVolgaCTF 2018 - Neatly bypassing CSP
VolgaCTF 2018 - Neatly bypassing CSPДмитрий Бумов
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...PROIDEA
 
Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityMikal Villa
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Miriam Schwab
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafePhilippe De Ryck
 
Securing your EmberJS Application
Securing your EmberJS ApplicationSecuring your EmberJS Application
Securing your EmberJS ApplicationPhilippe De Ryck
 
Surfer en toute legalite sur le net
Surfer en toute legalite sur le netSurfer en toute legalite sur le net
Surfer en toute legalite sur le netAAT's
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps SecurityVictor Bucutea
 

More Related Content

What's hot

Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyAustin Gil
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Francois Marier
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Francois Marier
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudJavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudArun Gupta
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS ApplicationPhilippe De Ryck
 
Drupal Security for Coders and Themers - XSS and CSRF
Drupal Security for Coders and Themers - XSS and CSRF Drupal Security for Coders and Themers - XSS and CSRF
Drupal Security for Coders and Themers - XSS and CSRF knaddison
 
Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)Arun Kumar
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Lets exploit Injection and XSS
Lets exploit Injection and XSSLets exploit Injection and XSS
Lets exploit Injection and XSSlethalduck
 
Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)Philippe De Ryck
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...PROIDEA
 
Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityMikal Villa
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Miriam Schwab
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafePhilippe De Ryck
 
Securing your EmberJS Application
Securing your EmberJS ApplicationSecuring your EmberJS Application
Securing your EmberJS ApplicationPhilippe De Ryck
 

What's hot (20)

Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
 
Http security response headers
Http security response headers Http security response headers
Http security response headers
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
 
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudJavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS Application
 
Drupal Security for Coders and Themers - XSS and CSRF
Drupal Security for Coders and Themers - XSS and CSRF Drupal Security for Coders and Themers - XSS and CSRF
Drupal Security for Coders and Themers - XSS and CSRF
 
Web vulnerabilities
Web vulnerabilitiesWeb vulnerabilities
Web vulnerabilities
 
Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
 
Lets exploit Injection and XSS
Lets exploit Injection and XSSLets exploit Injection and XSS
Lets exploit Injection and XSS
 
Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)
 
VolgaCTF 2018 - Neatly bypassing CSP
VolgaCTF 2018 - Neatly bypassing CSPVolgaCTF 2018 - Neatly bypassing CSP
VolgaCTF 2018 - Neatly bypassing CSP
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
 
Tsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header SecurityTsc summit #2 - HTTP Header Security
Tsc summit #2 - HTTP Header Security
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
 
Securing your EmberJS Application
Securing your EmberJS ApplicationSecuring your EmberJS Application
Securing your EmberJS Application
 

Viewers also liked

Surfer en toute legalite sur le net
Surfer en toute legalite sur le netSurfer en toute legalite sur le net
Surfer en toute legalite sur le netAAT's
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
AppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the UglyAppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the UglyEli Nesterov
 
AppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSPAppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSPEli Nesterov
 
Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy RUY
 
Getting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your WebappGetting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your WebappFrancois Marier
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity George Boobyer
 
Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your ApplicationsAmazon Web Services
 
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...CNIL ..
 
Intervention CNIL : droit des internautes et obligations des e-marchands
Intervention CNIL : droit des internautes et obligations des e-marchandsIntervention CNIL : droit des internautes et obligations des e-marchands
Intervention CNIL : droit des internautes et obligations des e-marchandsNet Design
 

Viewers also liked (13)

Surfer en toute legalite sur le net
Surfer en toute legalite sur le netSurfer en toute legalite sur le net
Surfer en toute legalite sur le net
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
AppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the UglyAppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the Ugly
 
AppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSPAppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSP
 
Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy
 
Content security policy
Content security policyContent security policy
Content security policy
 
Getting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your WebappGetting Browsers to Improve the Security of Your Webapp
Getting Browsers to Improve the Security of Your Webapp
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 
Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications
 
Security HTTP Headers
Security HTTP HeadersSecurity HTTP Headers
Security HTTP Headers
 
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...
 
Intervention CNIL : droit des internautes et obligations des e-marchands
Intervention CNIL : droit des internautes et obligations des e-marchandsIntervention CNIL : droit des internautes et obligations des e-marchands
Intervention CNIL : droit des internautes et obligations des e-marchands
 

Similar to Content Security Policy featuring ember.js

D3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the BrowserD3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the BrowserImperva Incapsula
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdfksudhakarreddy5
 
Future of Web Security Opened up by CSP
Future of Web Security Opened up by CSPFuture of Web Security Opened up by CSP
Future of Web Security Opened up by CSPMuneaki Nishimura
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security PoliciesMatias Korhonen
 
Secure coding guidelines for content security policy
Secure coding guidelines for content security policySecure coding guidelines for content security policy
Secure coding guidelines for content security policyvivekanandan r
 
2015-04-25-content-security-policy
2015-04-25-content-security-policy2015-04-25-content-security-policy
2015-04-25-content-security-policySastry Tumuluri
 
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Matt Raible
 
Web App Security for Java Developers - UberConf 2021
Web App Security for Java Developers - UberConf 2021Web App Security for Java Developers - UberConf 2021
Web App Security for Java Developers - UberConf 2021Matt Raible
 
[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)OWASP EEE
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?Gavin Holt
 
HTML / CSS / JS Web basics
HTML / CSS / JS Web basicsHTML / CSS / JS Web basics
HTML / CSS / JS Web basicsbtopro
 
Ignite content security policy
Ignite content security policyIgnite content security policy
Ignite content security policyjstack
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Content Security Policy ByPass
Content Security Policy ByPassContent Security Policy ByPass
Content Security Policy ByPassPawanJaiswal39
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersdevObjective
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 

Similar to Content Security Policy featuring ember.js (20)

D3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the BrowserD3LDN17 - Recruiting the Browser
D3LDN17 - Recruiting the Browser
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
 
Future of Web Security Opened up by CSP
Future of Web Security Opened up by CSPFuture of Web Security Opened up by CSP
Future of Web Security Opened up by CSP
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security Policies
 
Secure coding guidelines for content security policy
Secure coding guidelines for content security policySecure coding guidelines for content security policy
Secure coding guidelines for content security policy
 
2015-04-25-content-security-policy
2015-04-25-content-security-policy2015-04-25-content-security-policy
2015-04-25-content-security-policy
 
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021
 
Introducing PostCSS
Introducing PostCSSIntroducing PostCSS
Introducing PostCSS
 
Web App Security for Java Developers - UberConf 2021
Web App Security for Java Developers - UberConf 2021Web App Security for Java Developers - UberConf 2021
Web App Security for Java Developers - UberConf 2021
 
[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)[Cluj] CSP (Content Security Policy)
[Cluj] CSP (Content Security Policy)
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?
 
HTML / CSS / JS Web basics
HTML / CSS / JS Web basicsHTML / CSS / JS Web basics
HTML / CSS / JS Web basics
 
Ignite content security policy
Ignite content security policyIgnite content security policy
Ignite content security policy
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Breaking Bad CSP
Breaking Bad CSPBreaking Bad CSP
Breaking Bad CSP
 
Content Security Policy ByPass
Content Security Policy ByPassContent Security Policy ByPass
Content Security Policy ByPass
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 

Recently uploaded

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 

Recently uploaded (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 

Content Security Policy featuring ember.js