GitHub's post-CSP journey (githubengineering.com)
A very detailed post which talks about their collaboration with security consulting firm Cure53 to identify various fairly novel exfiltration techniques, and attempt to adjust their Content-Security-Policy or some aspect of their application to try to mitigate it. This could be a great resource, and is certainly a valuable 'lessons learned'.

But I was also overwhelmed. There's a quip that security is a losing battle, but that wasn't my takeaway -- rather, the knowledge space required to develop and host a web application that accepts user-generated content in a way that won't leak info apparently everywhere is getting too much for generalist developers working alone or in small teams.

The article says CSP seven times in the first two paragraphs without saying what it stands for; it would be much more readable if they did. (it stands for content security policy for those wondering.)

At a certain point you need to set a baseline expectation of your audience in order to communicate effectively. Do you think they should also explain exploitation, img-src, the mechanics of parsing unmatched quotes, javascript or CSRF? The target audience of the article knows what CSP stands for and most likely has been reading the other entries along this journey.

And I had thought it was communicating sequential processes for a second

To that end, it might be worth spelling out in the title here. I got my hopes up thinking it was about https://en.wikipedia.org/wiki/Communicating_sequential_proce....

Ditto

Apologies for that not being clear. Given, I had linked to the original article in the first sentence, I took the perspective of people knowing which "CSP" I was talking about. I'll update the post in the morning to spell/link out to the first CSP reference.

There's even a tag for it: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/ab...

