

HTML5 Security Cheat Sheet - dhruvbhatia
https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet

======
UnoriginalGuy
I've tried to get Content Security Policy (CSP) rolled out in our new
development at work, and to be frank I'm starting to lose faith that it is
workable.

We're on report only at the moment, and it seems like every major JavaScript
library depends on Eval() in one way or another (mostly new function()).

Just this week someone wanted to use Angular (1.3.1) and it generates dozens
of CSP reports without ng-csp in the HTML element, but when the attribute
exists $http responses (which depend on function()) aren't working (e.g.
success(function(data, status, headers, config) {}).

Unfortunately Angular's documentation on CSP is a single page with nothing
particularly helpful, and tons of stackoverflow results about Google Chrome
extension development.

This is just the tip of the iceberg. Seems like every single major JavaScript
library (even things you just take for granted) break CSP or need tons of
exceptions.

~~~
homborg
As far as I can tell, the are no issues with the `function` keyword in csp
mode, but the `Function` constructor, eg.

`Function("a", "console.log(a);")`

Your example is a callback with an anonymous function.

Do you have any links to discussions about your issue?

------
borski
You can scan for a huge chunk of this with
[https://www.tinfoilsecurity.com](https://www.tinfoilsecurity.com), and we're
adding more every day. Most importantly, you should make it a regular part of
your Dev cycle.

Note: this isn't an ad, it just seemed relevant to those interested in a
"cheat sheet." Automating it by calling out to our API seems really relevant.
:)

~~~
passfree
The problem with your approach is that you are assuming that people are fine
that scan for in production for security issues. While it is true that
everyone does it, this arguments falls flat because there are plenty of
systems which will avoid the risk and for good reasons.

~~~
borski
Nope, in fact you can scan in staging or Dev too, by using Bifrost:
[https://www.tinfoilsecurity.com/developer/bifrost](https://www.tinfoilsecurity.com/developer/bifrost)

