1
00:00:00,000 --> 00:00:08,039
oh oh yeah so I'm<font color="#E5E5E5"> going to be speaking</font>

2
00:00:03,780 --> 00:00:11,340
in English because I cannot put<font color="#E5E5E5"> to words</font>

3
00:00:08,039 --> 00:00:13,620
in technical Russian anymore since i

4
00:00:11,340 --> 00:00:16,770
moved to us so yeah<font color="#CCCCCC"> i will be talking</font>

5
00:00:13,620 --> 00:00:20,160
about CSP what is CS pcs<font color="#CCCCCC"> P stands for</font>

6
00:00:16,770 --> 00:00:22,140
Canadian staging professionals and like

7
00:00:20,160 --> 00:00:26,099
if you want<font color="#CCCCCC"> to make some money and stop</font>

8
00:00:22,140 --> 00:00:28,800
pushing buttons you can<font color="#CCCCCC"> oh</font><font color="#E5E5E5"> hey whatever</font>

9
00:00:26,099 --> 00:00:30,900
it's a<font color="#E5E5E5"> joke it's just thing is that if</font>

10
00:00:28,800 --> 00:00:33,390
you search for CSP in<font color="#CCCCCC"> Google</font><font color="#E5E5E5"> and switch</font>

11
00:00:30,900 --> 00:00:35,969
the images first thing you<font color="#E5E5E5"> see is this</font>

12
00:00:33,390 --> 00:00:37,739
logo on about Canadian staging

13
00:00:35,969 --> 00:00:40,200
professionals and this this<font color="#E5E5E5"> is some kind</font>

14
00:00:37,739 --> 00:00:43,078
of shady profession where you went where

15
00:00:40,200 --> 00:00:46,020
they teach you how to stage a house when

16
00:00:43,079 --> 00:00:49,710
you sell<font color="#CCCCCC"> it so buyers so you attract</font>

17
00:00:46,020 --> 00:00:51,180
more buyers so yeah we are not going to

18
00:00:49,710 --> 00:00:57,899
talk about<font color="#E5E5E5"> that CSP we're going to talk</font>

19
00:00:51,180 --> 00:01:00,120
about content security policy so<font color="#E5E5E5"> I work</font>

20
00:00:57,899 --> 00:01:03,149
at a company called<font color="#CCCCCC"> shade security and</font>

21
00:01:00,120 --> 00:01:08,189
we we we work on a network appliance

22
00:01:03,149 --> 00:01:09,840
which modifies content modifies HTTP

23
00:01:08,189 --> 00:01:12,809
responses that are<font color="#E5E5E5"> going</font><font color="#CCCCCC"> to the</font>

24
00:01:09,840 --> 00:01:15,350
browser's from a<font color="#E5E5E5"> web server so since we</font>

25
00:01:12,810 --> 00:01:19,259
modify content we need to take care of

26
00:01:15,350 --> 00:01:21,089
CSP if web server is using CSP but

27
00:01:19,259 --> 00:01:26,939
<font color="#E5E5E5">before going there i'll explain what</font>

28
00:01:21,090 --> 00:01:31,530
<font color="#CCCCCC">csps so CSP is a very cool new</font>

29
00:01:26,939 --> 00:01:34,470
technology that mainly fights cross-site

30
00:01:31,530 --> 00:01:35,729
scripting and<font color="#E5E5E5"> help with fighting</font>

31
00:01:34,470 --> 00:01:40,039
cross-site scripting you are addressing

32
00:01:35,729 --> 00:01:45,170
attacks it helps to avoid week's content

33
00:01:40,040 --> 00:01:47,610
vulnerabilities and so main problem

34
00:01:45,170 --> 00:01:50,369
exploited by cross-site scripting is

35
00:01:47,610 --> 00:01:53,220
that browsers cannot distinguish between

36
00:01:50,369 --> 00:01:56,310
screeds that intended to be part of your

37
00:01:53,220 --> 00:01:58,770
web application and scripts that be

38
00:01:56,310 --> 00:02:02,869
maliciously injected by third<font color="#CCCCCC"> party so</font>

39
00:01:58,770 --> 00:02:06,270
what CSP is doing CSP is actually

40
00:02:02,869 --> 00:02:07,950
allowing to disable certain features in

41
00:02:06,270 --> 00:02:10,919
the<font color="#E5E5E5"> browsers for example by default when</font>

42
00:02:07,950 --> 00:02:13,470
your<font color="#E5E5E5"> web page has loads the script from</font>

43
00:02:10,919 --> 00:02:16,589
say jquery<font color="#E5E5E5"> com like you don't</font>

44
00:02:13,470 --> 00:02:19,020
have control over it<font color="#E5E5E5"> right you you just</font>

45
00:02:16,590 --> 00:02:22,230
have a HTML which says script source

46
00:02:19,020 --> 00:02:25,650
equals HTTP whatever<font color="#E5E5E5"> jQuery com so you</font>

47
00:02:22,230 --> 00:02:27,480
cannot that capability of loading that

48
00:02:25,650 --> 00:02:30,180
<font color="#E5E5E5">third-party script is there and there is</font>

49
00:02:27,480 --> 00:02:32,519
<font color="#E5E5E5">no way to disable it so CSP provides a</font>

50
00:02:30,180 --> 00:02:37,140
mechanism to disable certain certain

51
00:02:32,520 --> 00:02:40,940
features just really like brief history

52
00:02:37,140 --> 00:02:46,170
so it was first introduced in 2009 and

53
00:02:40,940 --> 00:02:48,150
so<font color="#E5E5E5"> it's six years but it's not really</font>

54
00:02:46,170 --> 00:02:50,429
popular and play you see on next slide

55
00:02:48,150 --> 00:02:53,250
why it's not<font color="#CCCCCC"> popular but yeah it was</font>

56
00:02:50,430 --> 00:02:58,020
introducing to<font color="#CCCCCC"> say 2009 CSP level one</font>

57
00:02:53,250 --> 00:03:00,630
speck was out in 2012 now CSP<font color="#E5E5E5"> to level</font>

58
00:02:58,020 --> 00:03:08,630
to his current standard and there's

59
00:03:00,630 --> 00:03:12,500
active work being done on CSP level<font color="#CCCCCC"> 3 so</font>

60
00:03:08,630 --> 00:03:15,660
most modern browsers this is for CSP a

61
00:03:12,500 --> 00:03:17,640
level<font color="#CCCCCC"> 1 so</font><font color="#E5E5E5"> basically a every browser</font>

62
00:03:15,660 --> 00:03:21,630
supports<font color="#CCCCCC"> the</font><font color="#E5E5E5"> SP level one except Opera</font>

63
00:03:17,640 --> 00:03:24,049
Mini and CSP level<font color="#CCCCCC"> 2</font><font color="#E5E5E5"> is supported by</font>

64
00:03:21,630 --> 00:03:27,440
chrome and firefox only for now but

65
00:03:24,050 --> 00:03:29,820
other browsers are catching up and

66
00:03:27,440 --> 00:03:33,079
adoption among website so we<font color="#CCCCCC"> scanned</font>

67
00:03:29,820 --> 00:03:36,510
<font color="#CCCCCC">alexa top</font><font color="#E5E5E5"> hundred thousand websites</font>

68
00:03:33,080 --> 00:03:39,600
landing pages<font color="#E5E5E5"> only and only 0.2 percent</font>

69
00:03:36,510 --> 00:03:44,730
are using CSP which is kind<font color="#E5E5E5"> of strange</font>

70
00:03:39,600 --> 00:03:46,200
and many of these policies many of

71
00:03:44,730 --> 00:03:49,470
<font color="#CCCCCC">content security</font><font color="#E5E5E5"> policies are</font>

72
00:03:46,200 --> 00:03:50,970
nonsensical or even broken and basically

73
00:03:49,470 --> 00:03:54,330
we decided to understand like why

74
00:03:50,970 --> 00:03:57,930
adoption is so slow and like what can we

75
00:03:54,330 --> 00:04:02,150
do to<font color="#CCCCCC"> make it faster and like how can we</font>

76
00:03:57,930 --> 00:04:08,459
help people so ok now the actual

77
00:04:02,150 --> 00:04:11,370
<font color="#E5E5E5">explanation wat CSP is so it is a string</font>

78
00:04:08,459 --> 00:04:13,620
that's that can be<font color="#E5E5E5"> delivered either</font>

79
00:04:11,370 --> 00:04:16,430
through HTTP header or as a meta tag on

80
00:04:13,620 --> 00:04:18,959
your<font color="#E5E5E5"> page and basically it's a</font>

81
00:04:16,430 --> 00:04:22,919
discounted security policy header and it

82
00:04:18,959 --> 00:04:26,389
consists of directives and source<font color="#CCCCCC"> with</font>

83
00:04:22,919 --> 00:04:29,240
<font color="#CCCCCC">with directive so for example to limit</font>

84
00:04:26,389 --> 00:04:31,460
<font color="#CCCCCC">where your</font><font color="#E5E5E5"> webpage can load streets you</font>

85
00:04:29,240 --> 00:04:36,020
just<font color="#CCCCCC"> save screech source and you can</font>

86
00:04:31,460 --> 00:04:38,508
have one or more expressions that can be

87
00:04:36,020 --> 00:04:41,299
<font color="#E5E5E5">like scheme source hot sauce or like</font>

88
00:04:38,509 --> 00:04:44,300
keyword source and basically for example

89
00:04:41,300 --> 00:04:47,749
these page says that<font color="#CCCCCC"> these</font><font color="#E5E5E5"> policy says</font>

90
00:04:44,300 --> 00:04:52,610
that I want<font color="#E5E5E5"> to load scripts only from</font>

91
00:04:47,749 --> 00:05:01,490
<font color="#E5E5E5">HTTPS schemes and or only from example</font>

92
00:04:52,610 --> 00:05:03,259
com or only<font color="#CCCCCC"> from myself what happens if</font>

93
00:05:01,490 --> 00:05:05,719
you have multiple expressions so

94
00:05:03,259 --> 00:05:07,789
basically<font color="#E5E5E5"> a spec is saying</font><font color="#CCCCCC"> that you have</font>

95
00:05:05,719 --> 00:05:10,909
<font color="#E5E5E5">too much at least one source expression</font>

96
00:05:07,789 --> 00:05:13,818
to to to match script that you want<font color="#E5E5E5"> to</font>

97
00:05:10,909 --> 00:05:17,050
load and like for example if you<font color="#CCCCCC"> have a</font>

98
00:05:13,819 --> 00:05:20,360
policy that served from a site com and

99
00:05:17,050 --> 00:05:22,849
your web page has a script that's being

100
00:05:20,360 --> 00:05:26,300
loaded from site com it will load

101
00:05:22,849 --> 00:05:28,639
because it<font color="#E5E5E5"> exactly match itself so the</font>

102
00:05:26,300 --> 00:05:31,639
source of the script that we're<font color="#E5E5E5"> testing</font>

103
00:05:28,639 --> 00:05:33,409
it's<font color="#E5E5E5"> exactly the same as</font><font color="#CCCCCC"> the origin from</font>

104
00:05:31,639 --> 00:05:35,120
where are the policies delivered which

105
00:05:33,409 --> 00:05:39,199
is side that<font color="#E5E5E5"> comes so</font><font color="#CCCCCC"> the script will</font>

106
00:05:35,120 --> 00:05:40,639
load<font color="#CCCCCC"> API that side come wouldn't load</font>

107
00:05:39,199 --> 00:05:42,139
because it doesn't match anything it

108
00:05:40,639 --> 00:05:44,689
doesn't match itself it doesn't match

109
00:05:42,139 --> 00:05:48,529
HTTPS and it doesn't match start<font color="#E5E5E5"> at</font>

110
00:05:44,689 --> 00:05:50,389
example.com or HTTPS google that cam

111
00:05:48,529 --> 00:05:53,319
will load because it matches the scheme

112
00:05:50,389 --> 00:05:58,279
it matches<font color="#E5E5E5"> one of the conditions like</font>

113
00:05:53,319 --> 00:06:00,680
<font color="#E5E5E5">HTTPS is ok HTTP example that</font><font color="#CCCCCC"> can also</font>

114
00:05:58,279 --> 00:06:04,250
wouldn't work because policy actually

115
00:06:00,680 --> 00:06:06,620
<font color="#E5E5E5">says that domain name should end with</font>

116
00:06:04,250 --> 00:06:08,509
that example that comment we don't have

117
00:06:06,620 --> 00:06:10,729
<font color="#CCCCCC">that condition the condition is not</font>

118
00:06:08,509 --> 00:06:13,639
satisfied and like a TI example that

119
00:06:10,729 --> 00:06:19,729
come with war because even if it's even

120
00:06:13,639 --> 00:06:21,680
it's over an insecure scheme HTTP but

121
00:06:19,729 --> 00:06:26,919
API that<font color="#E5E5E5"> example.com matches start</font>

122
00:06:21,680 --> 00:06:30,490
example.com like this one will also work

123
00:06:26,919 --> 00:06:30,490
now matching

124
00:06:34,400 --> 00:06:39,750
so if you have a policy that says<font color="#CCCCCC"> script</font>

125
00:06:37,440 --> 00:06:44,670
<font color="#CCCCCC">https what would happen</font><font color="#E5E5E5"> with these three</font>

126
00:06:39,750 --> 00:06:48,270
scripts so obviously like first two

127
00:06:44,670 --> 00:06:50,340
would work because<font color="#E5E5E5"> they match https</font>

128
00:06:48,270 --> 00:06:53,130
scheme and like<font color="#CCCCCC"> a</font><font color="#E5E5E5"> web socket for example</font>

129
00:06:50,340 --> 00:06:56,729
wouldn't work they just like I'm trying

130
00:06:53,130 --> 00:06:58,950
<font color="#E5E5E5">to explain like basics of matching of a</font>

131
00:06:56,730 --> 00:07:03,720
source expression matching say street

132
00:06:58,950 --> 00:07:07,050
says script source as a only allow

133
00:07:03,720 --> 00:07:09,420
scripts<font color="#E5E5E5"> from a</font><font color="#CCCCCC"> comm from domain that</font>

134
00:07:07,050 --> 00:07:14,820
matches a dot-com so what would happen

135
00:07:09,420 --> 00:07:18,650
here<font color="#E5E5E5"> I'm sorry first one is actually</font>

136
00:07:14,820 --> 00:07:21,990
<font color="#E5E5E5">incorrect it should it should work sorry</font>

137
00:07:18,650 --> 00:07:27,390
yeah a comm port 8080 wouldn't work

138
00:07:21,990 --> 00:07:29,820
because because if scheme is not

139
00:07:27,390 --> 00:07:35,669
specified<font color="#CCCCCC"> I have a slide about it but</font>

140
00:07:29,820 --> 00:07:38,159
basically<font color="#E5E5E5"> port in the</font><font color="#CCCCCC"> second source a</font>

141
00:07:35,670 --> 00:07:41,760
second directive assumes that port is

142
00:07:38,160 --> 00:07:44,210
default port for either HTTP or<font color="#E5E5E5"> HTTPS so</font>

143
00:07:41,760 --> 00:07:48,930
it will match on the port 80<font color="#E5E5E5"> and 443</font>

144
00:07:44,210 --> 00:07:54,060
with according with corresponding

145
00:07:48,930 --> 00:07:55,920
schemes this one is important so if you

146
00:07:54,060 --> 00:07:58,980
have a<font color="#E5E5E5"> past part in your source</font>

147
00:07:55,920 --> 00:08:01,770
expression and it<font color="#CCCCCC"> doesn't end with a</font>

148
00:07:58,980 --> 00:08:05,940
forward slash that means there has to be

149
00:08:01,770 --> 00:08:07,919
exact match so you're literally means

150
00:08:05,940 --> 00:08:09,630
<font color="#CCCCCC">that there must be exact match so</font>

151
00:08:07,920 --> 00:08:11,550
<font color="#E5E5E5">basically a that comes fledgeby would</font>

152
00:08:09,630 --> 00:08:14,460
work and<font color="#E5E5E5"> anything else wouldn't work</font>

153
00:08:11,550 --> 00:08:16,620
because there is no exact match and if

154
00:08:14,460 --> 00:08:18,960
your path ends with / that means

155
00:08:16,620 --> 00:08:24,990
anything that<font color="#E5E5E5"> contains that path and</font>

156
00:08:18,960 --> 00:08:27,030
domain name would work so basically yeah

157
00:08:24,990 --> 00:08:28,620
a dot-com that bead wouldn't work

158
00:08:27,030 --> 00:08:31,229
because there is no exact match but

159
00:08:28,620 --> 00:08:34,380
anything that that contains a that<font color="#E5E5E5"> come</font>

160
00:08:31,230 --> 00:08:36,570
/ be / good match basically yeah that's

161
00:08:34,380 --> 00:08:40,559
the rules<font color="#CCCCCC"> and it's not</font><font color="#E5E5E5"> really clear</font><font color="#CCCCCC"> from</font>

162
00:08:36,570 --> 00:08:42,140
the spec types of resources<font color="#E5E5E5"> that you can</font>

163
00:08:40,559 --> 00:08:44,939
restrict<font color="#E5E5E5"> with content security policy</font>

164
00:08:42,140 --> 00:08:48,420
it's like script style images for

165
00:08:44,940 --> 00:08:51,330
mounts form action is where your form

166
00:08:48,420 --> 00:08:53,250
submission can go and like child sources

167
00:08:51,330 --> 00:08:56,910
is for like all the child's like

168
00:08:53,250 --> 00:08:59,540
basically the frames<font color="#E5E5E5"> frame source is</font>

169
00:08:56,910 --> 00:09:01,890
obsolete directive and it's going<font color="#E5E5E5"> to go</font>

170
00:08:59,540 --> 00:09:03,569
it's going to disappear in CSP level

171
00:09:01,890 --> 00:09:05,910
<font color="#E5E5E5">three and it's replaced by child</font>

172
00:09:03,570 --> 00:09:08,280
actually object is for objects connect

173
00:09:05,910 --> 00:09:10,680
is where your<font color="#CCCCCC"> xmlhttprequest</font><font color="#E5E5E5"> or like web</font>

174
00:09:08,280 --> 00:09:15,360
sockets<font color="#E5E5E5"> can connect to a media and base</font>

175
00:09:10,680 --> 00:09:17,250
and<font color="#CCCCCC"> sort of self-explanatory these are</font>

176
00:09:15,360 --> 00:09:20,490
directives that are accepting source

177
00:09:17,250 --> 00:09:22,500
lists as a as like arguments and there

178
00:09:20,490 --> 00:09:23,850
are three other types of directives that

179
00:09:22,500 --> 00:09:27,090
the frame ancestors is basically

180
00:09:23,850 --> 00:09:29,520
replacement for extreme options media

181
00:09:27,090 --> 00:09:34,800
type is you can list what plug in what

182
00:09:29,520 --> 00:09:39,360
mimetypes your web application can can

183
00:09:34,800 --> 00:09:40,349
can contain and report to<font color="#E5E5E5"> our eyes will</font>

184
00:09:39,360 --> 00:09:42,900
come back<font color="#CCCCCC"> to report view our eyes</font>

185
00:09:40,350 --> 00:09:46,250
basically where your<font color="#E5E5E5"> violation the CSP</font>

186
00:09:42,900 --> 00:09:49,920
violation reports are going to be sent

187
00:09:46,250 --> 00:09:52,230
there are four key words in CSP<font color="#E5E5E5"> it's we</font>

188
00:09:49,920 --> 00:09:56,280
saw self which is<font color="#E5E5E5"> basically itself is</font>

189
00:09:52,230 --> 00:09:58,500
the alias for the origin from where your

190
00:09:56,280 --> 00:10:00,329
content security policy is coming there

191
00:09:58,500 --> 00:10:03,420
is<font color="#E5E5E5"> keyword none there's keyword unsafe</font>

192
00:10:00,330 --> 00:10:07,800
inline and<font color="#E5E5E5"> I sunsafe eval and last two</font>

193
00:10:03,420 --> 00:10:10,920
are pretty like<font color="#E5E5E5"> dangerous and should be</font>

194
00:10:07,800 --> 00:10:13,050
<font color="#CCCCCC">used with great like ocean and here's</font>

195
00:10:10,920 --> 00:10:15,240
some example like for example if you

196
00:10:13,050 --> 00:10:17,699
have script source none and style source

197
00:10:15,240 --> 00:10:20,520
none it basically means that<font color="#E5E5E5"> you do not</font>

198
00:10:17,700 --> 00:10:22,440
allow any streets to be any<font color="#CCCCCC"> third-party</font>

199
00:10:20,520 --> 00:10:25,310
<font color="#E5E5E5">any external scripts or styles to be</font>

200
00:10:22,440 --> 00:10:34,820
loaded<font color="#CCCCCC"> by your web page so basically</font>

201
00:10:25,310 --> 00:10:36,869
none of this HTML elements would work

202
00:10:34,820 --> 00:10:41,880
<font color="#CCCCCC">would be evaluated by the browser</font>

203
00:10:36,870 --> 00:10:44,280
basically it will<font color="#E5E5E5"> not load any script</font>

204
00:10:41,880 --> 00:10:48,290
from<font color="#CCCCCC"> third party it wouldn't let</font><font color="#E5E5E5"> any in</font>

205
00:10:44,280 --> 00:10:54,350
line screeches like event handlers and

206
00:10:48,290 --> 00:10:56,730
it also doesn't let any string to

207
00:10:54,350 --> 00:10:58,300
<font color="#E5E5E5">JavaScript interpretations basically</font>

208
00:10:56,730 --> 00:11:02,570
evaluation is not

209
00:10:58,300 --> 00:11:05,149
allowed so it's kind of<font color="#E5E5E5"> like safe thing</font>

210
00:11:02,570 --> 00:11:08,089
to do like non<font color="#CCCCCC"> keyword is safe to use if</font>

211
00:11:05,149 --> 00:11:10,579
that's what you want unsafe inline

212
00:11:08,089 --> 00:11:12,680
basically it's why at least<font color="#E5E5E5"> it allow it</font>

213
00:11:10,579 --> 00:11:16,579
makes an exception and it allows an

214
00:11:12,680 --> 00:11:19,099
inline script to appear in your your<font color="#E5E5E5"> web</font>

215
00:11:16,579 --> 00:11:20,719
<font color="#E5E5E5">page and basically that means that if</font>

216
00:11:19,100 --> 00:11:25,579
you<font color="#E5E5E5"> have street store a good source star</font>

217
00:11:20,720 --> 00:11:28,100
unsafe inline means that you let scripts

218
00:11:25,579 --> 00:11:30,109
to be<font color="#E5E5E5"> loaded from anywhere and you also</font>

219
00:11:28,100 --> 00:11:32,329
allow unsafe inline which is basically

220
00:11:30,110 --> 00:11:34,370
power cross-site scripting appear on

221
00:11:32,329 --> 00:11:36,349
your<font color="#E5E5E5"> web page so close i sleeping</font>

222
00:11:34,370 --> 00:11:41,889
payloads appear on your web page and

223
00:11:36,350 --> 00:11:45,639
basically that means that it still loads

224
00:11:41,889 --> 00:11:48,529
scripts from any third party it allows

225
00:11:45,639 --> 00:11:51,800
inline scripts as like event handlers

226
00:11:48,529 --> 00:11:53,779
but it doesn't allow eval and to allow

227
00:11:51,800 --> 00:11:58,540
eval you need to actually use unsafe

228
00:11:53,779 --> 00:12:01,819
eval<font color="#E5E5E5"> well go faster over this basically</font>

229
00:11:58,540 --> 00:12:04,760
try to avoid using these keywords unsafe

230
00:12:01,819 --> 00:12:08,329
inline and<font color="#E5E5E5"> unsafe</font><font color="#CCCCCC"> evil which means you</font>

231
00:12:04,760 --> 00:12:11,149
don't it's better not to<font color="#E5E5E5"> have any inline</font>

232
00:12:08,329 --> 00:12:15,170
scripts on your<font color="#E5E5E5"> web page to allow in the</font>

233
00:12:11,149 --> 00:12:17,779
first time if you still have to<font color="#E5E5E5"> have a</font>

234
00:12:15,170 --> 00:12:19,550
script on your<font color="#E5E5E5"> web page inline script or</font>

235
00:12:17,779 --> 00:12:21,769
inline style on your web page you<font color="#E5E5E5"> can</font>

236
00:12:19,550 --> 00:12:24,920
like granularly white wisdom either

237
00:12:21,769 --> 00:12:26,420
through specifying a hash of<font color="#E5E5E5"> the content</font>

238
00:12:24,920 --> 00:12:29,389
that<font color="#E5E5E5"> you want</font><font color="#CCCCCC"> to appear</font><font color="#E5E5E5"> on your web page</font>

239
00:12:26,420 --> 00:12:32,360
for<font color="#CCCCCC"> example if you have to have an</font>

240
00:12:29,389 --> 00:12:36,319
onclick handler for example<font color="#CCCCCC"> you can</font>

241
00:12:32,360 --> 00:12:40,010
calculate<font color="#E5E5E5"> the digest shut 256 for</font>

242
00:12:36,319 --> 00:12:41,599
example digest and you put that value

243
00:12:40,010 --> 00:12:45,889
that you calculated in your actual

244
00:12:41,600 --> 00:12:49,040
content security policy and only inline

245
00:12:45,889 --> 00:12:52,130
script whose digest matches whatever you

246
00:12:49,040 --> 00:12:54,050
declared in your HTTP header in common

247
00:12:52,130 --> 00:12:56,660
security policy would be evaluated

248
00:12:54,050 --> 00:13:01,790
anything else will be just blocked and

249
00:12:56,660 --> 00:13:04,519
it's it's useful when you when you<font color="#CCCCCC"> don't</font>

250
00:13:01,790 --> 00:13:05,750
have dynamic content but if<font color="#E5E5E5"> you're for</font>

251
00:13:04,519 --> 00:13:08,060
example if you are your<font color="#CCCCCC"> webpage is</font>

252
00:13:05,750 --> 00:13:11,200
serving different streets for per user

253
00:13:08,060 --> 00:13:13,750
agent or like / platform you cannot even

254
00:13:11,200 --> 00:13:15,880
you<font color="#CCCCCC"> still can have multiple hashes</font>

255
00:13:13,750 --> 00:13:18,280
declared in your content security policy

256
00:13:15,880 --> 00:13:20,050
but it's not a<font color="#E5E5E5"> good idea and there's</font>

257
00:13:18,280 --> 00:13:22,720
another mechanism<font color="#CCCCCC"> nonce based mechanism</font>

258
00:13:20,050 --> 00:13:27,969
known since number used ones so you

259
00:13:22,720 --> 00:13:31,000
generate a random number and you put

260
00:13:27,970 --> 00:13:34,660
actually a script attribute in your HTML

261
00:13:31,000 --> 00:13:37,660
page saying nonce and equals but random

262
00:13:34,660 --> 00:13:39,130
value and you have the same notes in

263
00:13:37,660 --> 00:13:42,310
your<font color="#E5E5E5"> header and if they match browser</font>

264
00:13:39,130 --> 00:13:52,780
would let<font color="#CCCCCC"> it work and it doesn't match</font>

265
00:13:42,310 --> 00:13:58,689
it browser<font color="#E5E5E5"> just boxing what I wanted</font><font color="#CCCCCC"> to</font>

266
00:13:52,780 --> 00:14:00,970
say with this<font color="#E5E5E5"> slide is that there is</font>

267
00:13:58,690 --> 00:14:03,940
default source directive<font color="#E5E5E5"> and if you</font>

268
00:14:00,970 --> 00:14:06,760
don't explicitly specify a resource type

269
00:14:03,940 --> 00:14:08,200
directive the<font color="#E5E5E5"> value for that for the</font>

270
00:14:06,760 --> 00:14:14,920
directive will be derived from default

271
00:14:08,200 --> 00:14:16,390
source so which means which means if you

272
00:14:14,920 --> 00:14:18,579
don't have for example phone source

273
00:14:16,390 --> 00:14:19,990
declared in your policy the value<font color="#CCCCCC"> for</font>

274
00:14:18,580 --> 00:14:23,200
phone source will be derived from

275
00:14:19,990 --> 00:14:31,600
default source and yeah the same thing

276
00:14:23,200 --> 00:14:33,730
for any source type directly now we

277
00:14:31,600 --> 00:14:36,550
<font color="#CCCCCC">learned that</font><font color="#E5E5E5"> if you have multiple source</font>

278
00:14:33,730 --> 00:14:38,920
expressions in one single directive you

279
00:14:36,550 --> 00:14:41,140
have to match any<font color="#E5E5E5"> of them like there</font>

280
00:14:38,920 --> 00:14:44,380
<font color="#E5E5E5">must be a match with any of the</font>

281
00:14:41,140 --> 00:14:48,490
expressions to let the resource load to

282
00:14:44,380 --> 00:14:50,830
be<font color="#CCCCCC"> loaded so now what if you have say</font>

283
00:14:48,490 --> 00:14:53,440
like your network infrastructure is that

284
00:14:50,830 --> 00:15:00,690
is in such a way that you for example

285
00:14:53,440 --> 00:15:03,520
<font color="#CCCCCC">have a edge devices that add some some</font>

286
00:15:00,690 --> 00:15:04,810
some default content security policy and

287
00:15:03,520 --> 00:15:07,510
<font color="#E5E5E5">then other web</font><font color="#CCCCCC"> servers actual</font>

288
00:15:04,810 --> 00:15:10,239
application web servers are appending

289
00:15:07,510 --> 00:15:11,740
are actually defining content security

290
00:15:10,240 --> 00:15:15,310
policy that's specific to this

291
00:15:11,740 --> 00:15:16,780
particular webpage so technically yeah

292
00:15:15,310 --> 00:15:19,390
you can<font color="#CCCCCC"> have multiple content security</font>

293
00:15:16,780 --> 00:15:21,939
policies but<font color="#CCCCCC"> there is a caveat that in</font>

294
00:15:19,390 --> 00:15:24,670
this case<font color="#E5E5E5"> you actually have to match</font>

295
00:15:21,940 --> 00:15:27,580
every single content security policy

296
00:15:24,670 --> 00:15:30,219
you have in your that you declare to

297
00:15:27,580 --> 00:15:36,040
allow<font color="#E5E5E5"> the web page to</font><font color="#CCCCCC"> flow the resource</font>

298
00:15:30,220 --> 00:15:38,170
basically in this case what would<font color="#E5E5E5"> it be</font>

299
00:15:36,040 --> 00:15:40,209
like<font color="#E5E5E5"> the only matching URL that would</font>

300
00:15:38,170 --> 00:15:47,260
satisfy all three policies<font color="#E5E5E5"> would be</font>

301
00:15:40,210 --> 00:15:51,520
something like HTTPS API that

302
00:15:47,260 --> 00:15:53,860
example.com and only in case if self is

303
00:15:51,520 --> 00:15:55,810
also coming from example.com basically

304
00:15:53,860 --> 00:15:58,110
what you you'll see later how<font color="#E5E5E5"> does work</font>

305
00:15:55,810 --> 00:16:00,189
and<font color="#CCCCCC"> or you can combine actually a</font>

306
00:15:58,110 --> 00:16:03,250
multiple content security policy headers

307
00:16:00,190 --> 00:16:05,560
as a single header with comma separated

308
00:16:03,250 --> 00:16:07,750
values<font color="#E5E5E5"> it's it's not CSP think it's like</font>

309
00:16:05,560 --> 00:16:10,300
HTTP think that you can<font color="#E5E5E5"> combine any HTTP</font>

310
00:16:07,750 --> 00:16:12,340
header any multiple HTTP headers into

311
00:16:10,300 --> 00:16:15,240
single HTTP header with comma separated

312
00:16:12,340 --> 00:16:20,190
values it's also applicable to CSP and

313
00:16:15,240 --> 00:16:24,040
<font color="#CCCCCC">basically these are two equivalent but</font>

314
00:16:20,190 --> 00:16:27,940
<font color="#E5E5E5">yes unfortunately you don't see much</font>

315
00:16:24,040 --> 00:16:31,030
here but the point of this slide is you

316
00:16:27,940 --> 00:16:35,590
cannot basically if you try<font color="#E5E5E5"> to combine</font>

317
00:16:31,030 --> 00:16:36,760
policies by just concatenating them it's

318
00:16:35,590 --> 00:16:38,890
going to<font color="#E5E5E5"> be like different policies</font>

319
00:16:36,760 --> 00:16:45,280
because in first case you<font color="#CCCCCC"> have to match</font>

320
00:16:38,890 --> 00:16:47,380
a every single source expression and in

321
00:16:45,280 --> 00:16:49,000
case<font color="#CCCCCC"> of second policy like it becomes</font>

322
00:16:47,380 --> 00:16:51,189
normal policy and<font color="#CCCCCC"> you have to match only</font>

323
00:16:49,000 --> 00:16:52,810
like any of the source expression so

324
00:16:51,190 --> 00:16:58,810
these are different policies they have

325
00:16:52,810 --> 00:17:03,369
different semantics yeah speaking<font color="#E5E5E5"> about</font>

326
00:16:58,810 --> 00:17:05,619
semantics as<font color="#E5E5E5"> I said like if there is no</font>

327
00:17:03,370 --> 00:17:08,349
explicit declaration of our resource

328
00:17:05,619 --> 00:17:10,569
type directive its value<font color="#CCCCCC"> will be derived</font>

329
00:17:08,349 --> 00:17:12,129
from default source so now if we<font color="#E5E5E5"> have</font>

330
00:17:10,569 --> 00:17:14,550
for example a Content security policy

331
00:17:12,130 --> 00:17:18,340
that declares every single possible

332
00:17:14,550 --> 00:17:20,369
source type so we have scripts or style

333
00:17:18,339 --> 00:17:24,550
source image<font color="#CCCCCC"> pawn child connect object</font>

334
00:17:20,369 --> 00:17:27,310
that means that<font color="#E5E5E5"> default source doesn't</font>

335
00:17:24,550 --> 00:17:29,500
have any<font color="#E5E5E5"> meaning in this case so ABC is</font>

336
00:17:27,310 --> 00:17:31,149
like not<font color="#E5E5E5"> used by buy any of them because</font>

337
00:17:29,500 --> 00:17:33,250
like every single policy is overriding

338
00:17:31,150 --> 00:17:36,520
the<font color="#E5E5E5"> value so basically</font><font color="#CCCCCC"> that means that</font>

339
00:17:33,250 --> 00:17:38,080
you can since all of this sub sub

340
00:17:36,520 --> 00:17:40,179
resource directives

341
00:17:38,080 --> 00:17:44,949
are saying that<font color="#E5E5E5"> I'm allowing</font><font color="#CCCCCC"> a day that</font>

342
00:17:40,179 --> 00:17:47,620
that only domain origin DS allowed so

343
00:17:44,950 --> 00:17:49,539
basically<font color="#CCCCCC"> you can express the same thing</font>

344
00:17:47,620 --> 00:17:51,610
yes by just saying defaults or<font color="#E5E5E5"> D and</font>

345
00:17:49,539 --> 00:17:52,929
they have the<font color="#E5E5E5"> same semantics but the</font>

346
00:17:51,610 --> 00:18:01,000
grammar is like completely different

347
00:17:52,929 --> 00:18:03,610
right so yeah if<font color="#CCCCCC"> non if you skip none</font>

348
00:18:01,000 --> 00:18:07,080
that means that basically empty list of

349
00:18:03,610 --> 00:18:15,820
source expressions is the same as none

350
00:18:07,080 --> 00:18:20,830
and the same thing is with default here

351
00:18:15,820 --> 00:18:24,370
<font color="#E5E5E5">is how spec interprets if you do</font><font color="#CCCCCC"> not</font>

352
00:18:20,830 --> 00:18:27,029
specify the scheme so basically<font color="#E5E5E5"> these</font>

353
00:18:24,370 --> 00:18:29,939
three directives are semantically are

354
00:18:27,029 --> 00:18:35,470
semantically equivalent because

355
00:18:29,940 --> 00:18:38,169
example.com if the third one scheme is

356
00:18:35,470 --> 00:18:40,929
missing and spec is like in very long

357
00:18:38,169 --> 00:18:43,929
sentence with like I don't<font color="#E5E5E5"> know</font><font color="#CCCCCC"> 1234</font>

358
00:18:40,929 --> 00:18:46,750
with four negations it defines what you

359
00:18:43,929 --> 00:18:48,730
should do if scheme is missing and but

360
00:18:46,750 --> 00:18:51,490
basically what is it saying that default

361
00:18:48,730 --> 00:18:53,710
scheme if it's missing its HTTP and like

362
00:18:51,490 --> 00:18:59,080
this is an example of how spec is not

363
00:18:53,710 --> 00:19:01,600
really like easy<font color="#E5E5E5"> to interpret and yeah</font>

364
00:18:59,080 --> 00:19:05,139
if you have a poor if you have a scheme

365
00:19:01,600 --> 00:19:07,750
and missing port then<font color="#CCCCCC"> a default port</font>

366
00:19:05,139 --> 00:19:09,729
will be assumed to<font color="#E5E5E5"> be there like for</font>

367
00:19:07,750 --> 00:19:12,639
HTTP it's going to be a tht<font color="#CCCCCC"> ps4 for</font>

368
00:19:09,730 --> 00:19:14,320
<font color="#CCCCCC">three and web sockets 8443 a spec also</font>

369
00:19:12,639 --> 00:19:18,279
<font color="#E5E5E5">defines gopher but like who is using go</font>

370
00:19:14,320 --> 00:19:21,070
for these days for most permissive

371
00:19:18,279 --> 00:19:24,340
policy like most of the content security

372
00:19:21,070 --> 00:19:27,189
policy 101 blog posts or like tutorials

373
00:19:24,340 --> 00:19:29,709
are saying that most permissive policies

374
00:19:27,190 --> 00:19:32,559
like defaults or star which means that

375
00:19:29,710 --> 00:19:34,870
<font color="#E5E5E5">any source and any resource tab can be</font>

376
00:19:32,559 --> 00:19:38,408
loaded from anywhere but it's<font color="#CCCCCC"> actually</font>

377
00:19:34,870 --> 00:19:41,229
not true because even defaults or star

378
00:19:38,409 --> 00:19:44,080
is still not allowing inline scripts or

379
00:19:41,230 --> 00:19:46,389
it doesn't allow data URLs or file

380
00:19:44,080 --> 00:19:48,460
system URLs or<font color="#CCCCCC"> blog so basically</font><font color="#E5E5E5"> most</font>

381
00:19:46,389 --> 00:19:50,770
permissive policy is actually this one

382
00:19:48,460 --> 00:19:51,549
that the lower one is the false or star

383
00:19:50,770 --> 00:19:55,539
unsafe in

384
00:19:51,549 --> 00:20:02,049
and<font color="#E5E5E5"> safety valve and it's exactly the</font>

385
00:19:55,539 --> 00:20:03,850
same as like not having the policy on

386
00:20:02,049 --> 00:20:06,850
the other<font color="#E5E5E5"> hand most restrictive policy</font>

387
00:20:03,850 --> 00:20:10,330
is going to be default source<font color="#CCCCCC"> none so</font>

388
00:20:06,850 --> 00:20:12,699
missing<font color="#CCCCCC"> nom means like empties</font>

389
00:20:10,330 --> 00:20:15,580
expression source suppression list means

390
00:20:12,700 --> 00:20:17,320
none before such none but since frame

391
00:20:15,580 --> 00:20:20,918
ancestors and like form action and

392
00:20:17,320 --> 00:20:22,689
sandbox are not derived from the default

393
00:20:20,919 --> 00:20:24,129
source you<font color="#E5E5E5"> have to explicitly specify</font>

394
00:20:22,690 --> 00:20:26,289
them because by default if you don't

395
00:20:24,129 --> 00:20:28,689
specify<font color="#E5E5E5"> say form action it is star</font>

396
00:20:26,289 --> 00:20:31,149
meaning form can be<font color="#E5E5E5"> submitted anywhere</font>

397
00:20:28,690 --> 00:20:32,409
or frame ancestors is also start by

398
00:20:31,149 --> 00:20:35,080
default if you don't explicitly

399
00:20:32,409 --> 00:20:37,389
specified in the policy any website can

400
00:20:35,080 --> 00:20:44,199
load your<font color="#E5E5E5"> web page you can load your web</font>

401
00:20:37,389 --> 00:20:47,229
page in a frame<font color="#CCCCCC"> post source I don't</font>

402
00:20:44,200 --> 00:20:49,059
<font color="#E5E5E5">remember what is this</font><font color="#CCCCCC"> ok so there's</font><font color="#E5E5E5"> one</font>

403
00:20:47,230 --> 00:20:52,409
exception<font color="#CCCCCC"> the kinect source is basically</font>

404
00:20:49,059 --> 00:20:55,149
not about voting resources but about

405
00:20:52,409 --> 00:20:57,549
connecting making connections from your

406
00:20:55,149 --> 00:21:02,619
<font color="#E5E5E5">website and connect source is a</font>

407
00:20:57,549 --> 00:21:04,779
responsible<font color="#CCCCCC"> two or more to control where</font>

408
00:21:02,619 --> 00:21:09,779
your website can connect to so basically

409
00:21:04,779 --> 00:21:12,220
self and<font color="#E5E5E5"> HTTPS served by example</font><font color="#CCCCCC"> com</font>

410
00:21:09,779 --> 00:21:14,230
it's the same rule like any of the

411
00:21:12,220 --> 00:21:15,700
source expression should match so

412
00:21:14,230 --> 00:21:17,559
example that come for example<font color="#E5E5E5"> doesn't</font>

413
00:21:15,700 --> 00:21:20,559
match anything scheme doesn't match it

414
00:21:17,559 --> 00:21:23,168
doesn't match<font color="#E5E5E5"> itself because because</font>

415
00:21:20,559 --> 00:21:25,389
<font color="#E5E5E5">self is actually</font><font color="#CCCCCC"> https example.com it's</font>

416
00:21:23,169 --> 00:21:27,759
like origin and we're trying to connect

417
00:21:25,389 --> 00:21:32,408
to http so connection will not be

418
00:21:27,759 --> 00:21:35,080
allowed<font color="#CCCCCC"> https example that</font><font color="#E5E5E5"> come port</font>

419
00:21:32,409 --> 00:21:37,869
8080 will also not be allowed because it

420
00:21:35,080 --> 00:21:40,439
assumes that if<font color="#E5E5E5"> you don't specify the</font>

421
00:21:37,869 --> 00:21:45,668
port then port has to be four 4 3 four

422
00:21:40,440 --> 00:21:47,919
<font color="#CCCCCC">HTTPS schemes on the other end this</font><font color="#E5E5E5"> one</font>

423
00:21:45,669 --> 00:21:49,929
would<font color="#E5E5E5"> work because it matches the origin</font>

424
00:21:47,919 --> 00:21:54,759
<font color="#CCCCCC">except it's the same itself so it is</font>

425
00:21:49,929 --> 00:21:57,279
<font color="#E5E5E5">allowed myself this one is also allowed</font>

426
00:21:54,759 --> 00:21:59,350
because 443 like it's the same<font color="#CCCCCC"> as</font><font color="#E5E5E5"> not</font>

427
00:21:57,279 --> 00:22:01,600
specifying 443 because default port for

428
00:21:59,350 --> 00:22:03,408
<font color="#CCCCCC">HTTPS is</font><font color="#E5E5E5"> 443 according to content</font>

429
00:22:01,600 --> 00:22:05,820
security policy spec

430
00:22:03,409 --> 00:22:09,840
websocket wouldn't work because we don't

431
00:22:05,820 --> 00:22:14,960
allow web socket by any of the source

432
00:22:09,840 --> 00:22:14,959
expressions the same<font color="#E5E5E5"> is with this</font><font color="#CCCCCC"> guy</font>

433
00:22:15,289 --> 00:22:21,240
some GSP examples from real world<font color="#E5E5E5"> this</font>

434
00:22:18,809 --> 00:22:26,370
<font color="#E5E5E5">is actually</font><font color="#CCCCCC"> like CSP a little simplified</font>

435
00:22:21,240 --> 00:22:31,649
CSP that served by CNN it's pretty bad

436
00:22:26,370 --> 00:22:34,949
because they're not only allowing

437
00:22:31,649 --> 00:22:36,989
anything<font color="#E5E5E5"> from anywhere there for some</font>

438
00:22:34,950 --> 00:22:39,380
reason duplicating the same data because

439
00:22:36,990 --> 00:22:42,419
basically in<font color="#E5E5E5"> script swords are saying we</font>

440
00:22:39,380 --> 00:22:44,460
allow scripts to be<font color="#E5E5E5"> loaded from</font>

441
00:22:42,419 --> 00:22:47,429
everywhere and from self which<font color="#CCCCCC"> is</font>

442
00:22:44,460 --> 00:22:49,710
already nonsensical but on top of that

443
00:22:47,429 --> 00:22:54,029
they allow unsafe eval and unsafe inline

444
00:22:49,710 --> 00:22:56,669
and plus they allow data URI for images

445
00:22:54,029 --> 00:23:00,409
so basically it's better not to<font color="#E5E5E5"> have any</font>

446
00:22:56,669 --> 00:23:03,570
policy than to have<font color="#E5E5E5"> something like</font><font color="#CCCCCC"> this</font>

447
00:23:00,409 --> 00:23:07,470
another example is it's actually some

448
00:23:03,570 --> 00:23:11,340
<font color="#E5E5E5">Russian website this is the content</font>

449
00:23:07,470 --> 00:23:12,990
security policy it serves its pretty

450
00:23:11,340 --> 00:23:18,510
long and I'm sure it can<font color="#CCCCCC"> be like</font>

451
00:23:12,990 --> 00:23:21,240
optimized another like maybe worst

452
00:23:18,510 --> 00:23:26,610
policy ever it's served by<font color="#E5E5E5"> armed com</font>

453
00:23:21,240 --> 00:23:29,220
actually they<font color="#CCCCCC"> said allow directive name</font>

454
00:23:26,610 --> 00:23:32,428
which is deprecated<font color="#E5E5E5"> and allow actually</font>

455
00:23:29,220 --> 00:23:34,230
never made into official CSP spec and it

456
00:23:32,429 --> 00:23:36,720
was just experimental<font color="#E5E5E5"> feature for fire</font>

457
00:23:34,230 --> 00:23:38,429
implemented by Firefox and they use

458
00:23:36,720 --> 00:23:40,320
frame ancestors and frame ancestors

459
00:23:38,429 --> 00:23:42,419
directive was introduced<font color="#CCCCCC"> by CSP level 2</font>

460
00:23:40,320 --> 00:23:44,820
and for<font color="#CCCCCC"> example</font><font color="#E5E5E5"> Safari doesn't know what</font>

461
00:23:42,419 --> 00:23:46,559
frame ancestors is and Safari doesn't

462
00:23:44,820 --> 00:23:49,710
know what allow is because allowed never

463
00:23:46,559 --> 00:23:52,110
made<font color="#E5E5E5"> into</font><font color="#CCCCCC"> the spec so this policy served</font>

464
00:23:49,710 --> 00:24:00,059
by<font color="#CCCCCC"> arm com is actually like doing</font>

465
00:23:52,110 --> 00:24:03,479
nothing at all some error handling by

466
00:24:00,059 --> 00:24:06,750
browsers and this is pretty<font color="#E5E5E5"> big issue</font>

467
00:24:03,480 --> 00:24:12,000
like for example if you have<font color="#CCCCCC"> okay any</font>

468
00:24:06,750 --> 00:24:13,770
HTTP header cannot contain non-ascii

469
00:24:12,000 --> 00:24:16,409
characters pretty much like if we

470
00:24:13,770 --> 00:24:16,830
generalize then CSP is not an exception

471
00:24:16,409 --> 00:24:18,600
like you

472
00:24:16,830 --> 00:24:21,168
cannot have known ASCII characters in

473
00:24:18,600 --> 00:24:23,539
CSP and if you put<font color="#E5E5E5"> something like</font>

474
00:24:21,169 --> 00:24:26,190
something outside of<font color="#CCCCCC"> a ski range</font>

475
00:24:23,539 --> 00:24:28,830
actually browsers behave pretty

476
00:24:26,190 --> 00:24:31,830
differently a chrome will ignore the

477
00:24:28,830 --> 00:24:34,980
entire policy I entire directive and

478
00:24:31,830 --> 00:24:37,710
<font color="#CCCCCC">Firefox will ignore the the particular</font>

479
00:24:34,980 --> 00:24:40,649
token that has a problem and will still

480
00:24:37,710 --> 00:24:43,409
parse the rest of the tokens for example

481
00:24:40,649 --> 00:24:44,908
if you have scripts or self and<font color="#E5E5E5"> foo in</font>

482
00:24:43,409 --> 00:24:46,590
case of<font color="#CCCCCC"> chrome everything will</font><font color="#E5E5E5"> be</font>

483
00:24:44,909 --> 00:24:49,440
ignored<font color="#E5E5E5"> and like scripts</font><font color="#CCCCCC"> from everywhere</font>

484
00:24:46,590 --> 00:24:52,610
we are allowed to be load it and in case

485
00:24:49,440 --> 00:24:54,840
of<font color="#CCCCCC"> firefox self will still be enforced</font>

486
00:24:52,610 --> 00:24:56,760
it's actually a bug because<font color="#E5E5E5"> spec is</font>

487
00:24:54,840 --> 00:25:00,658
clear<font color="#E5E5E5"> on this and spec says that just</font>

488
00:24:56,760 --> 00:25:02,879
ignore the problematic token and keep

489
00:25:00,659 --> 00:25:07,580
the<font color="#E5E5E5"> rest keep-keep other source</font>

490
00:25:02,880 --> 00:25:10,049
expressions and firefox to didn't fix it

491
00:25:07,580 --> 00:25:14,010
another box that<font color="#E5E5E5"> we like we reported</font>

492
00:25:10,049 --> 00:25:16,379
<font color="#CCCCCC">panel</font><font color="#E5E5E5"> 15</font><font color="#CCCCCC"> bags on Chrome these two are</font>

493
00:25:14,010 --> 00:25:20,850
actually security bugs they're figs<font color="#E5E5E5"> but</font>

494
00:25:16,380 --> 00:25:22,760
they still haven't removed the security

495
00:25:20,850 --> 00:25:24,990
flag from the box so you<font color="#E5E5E5"> cannot see it</font>

496
00:25:22,760 --> 00:25:26,490
it's not<font color="#E5E5E5"> available to everybody but for</font>

497
00:25:24,990 --> 00:25:29,190
example this is<font color="#CCCCCC"> I think</font><font color="#E5E5E5"> it's pretty big</font>

498
00:25:26,490 --> 00:25:31,230
spec is saying that<font color="#E5E5E5"> if you have a policy</font>

499
00:25:29,190 --> 00:25:34,370
like this like star that's something

500
00:25:31,230 --> 00:25:39,510
<font color="#CCCCCC">that's something</font><font color="#E5E5E5"> you actually have too</font>

501
00:25:34,370 --> 00:25:41,219
much you are a match URLs that are

502
00:25:39,510 --> 00:25:43,049
ending with that<font color="#E5E5E5"> something that's</font>

503
00:25:41,220 --> 00:25:46,110
something but chrome was actually

504
00:25:43,049 --> 00:25:48,539
allowing something that something so

505
00:25:46,110 --> 00:25:50,699
<font color="#E5E5E5">basically chrome was allowing</font><font color="#CCCCCC"> X that y /</font>

506
00:25:48,539 --> 00:25:53,000
file to be<font color="#CCCCCC"> loaded although according to</font>

507
00:25:50,700 --> 00:25:56,820
<font color="#E5E5E5">the spec it shouldn't be load it and</font>

508
00:25:53,000 --> 00:25:58,980
it's<font color="#E5E5E5"> pretty I think it's it can be a big</font>

509
00:25:56,820 --> 00:26:01,500
source of a<font color="#CCCCCC"> problem of problems because</font>

510
00:25:58,980 --> 00:26:03,179
<font color="#E5E5E5">people respect people implement their</font>

511
00:26:01,500 --> 00:26:05,460
policies according to the spec but then

512
00:26:03,179 --> 00:26:08,309
turns out that chrome that browser is

513
00:26:05,460 --> 00:26:12,440
not interpreting the spec the same way

514
00:26:08,309 --> 00:26:14,460
as you<font color="#E5E5E5"> are or this one scripts or star</font>

515
00:26:12,440 --> 00:26:17,730
according<font color="#CCCCCC"> to the specs shouldn't allow</font>

516
00:26:14,460 --> 00:26:19,980
any data or file system or blob you<font color="#E5E5E5"> are</font>

517
00:26:17,730 --> 00:26:21,210
eyes but chrome was actually allowing it

518
00:26:19,980 --> 00:26:24,269
and you can have something<font color="#E5E5E5"> like this in</font>

519
00:26:21,210 --> 00:26:27,240
your on your<font color="#E5E5E5"> web page like your</font>

520
00:26:24,269 --> 00:26:29,210
cross-site scripting payload can be data

521
00:26:27,240 --> 00:26:32,510
URI<font color="#CCCCCC"> and it will perfectly work in</font>

522
00:26:29,210 --> 00:26:33,890
and you would have false sense of

523
00:26:32,510 --> 00:26:38,809
security by thinking that chrome

524
00:26:33,890 --> 00:26:42,049
implemented it properly there is cool

525
00:26:38,809 --> 00:26:45,590
feature in CSP cold CSP reporting so

526
00:26:42,049 --> 00:26:47,779
what happens when you specify a policy

527
00:26:45,590 --> 00:26:49,399
and your browser violates the policy so

528
00:26:47,779 --> 00:26:53,200
basically tries to load the script from

529
00:26:49,399 --> 00:26:55,489
somewhere that you are not whitelisting

530
00:26:53,200 --> 00:27:01,970
actually browser would send a report to

531
00:26:55,490 --> 00:27:04,309
you to specify where<font color="#E5E5E5"> reports should go</font>

532
00:27:01,970 --> 00:27:06,049
you put report<font color="#CCCCCC"> uri directive in your</font>

533
00:27:04,309 --> 00:27:08,570
policy and<font color="#E5E5E5"> you can specify multiple or</font>

534
00:27:06,049 --> 00:27:12,408
like one<font color="#E5E5E5"> uri where the report will be</font>

535
00:27:08,570 --> 00:27:15,379
sent and the<font color="#E5E5E5"> rule the spec is saying</font>

536
00:27:12,409 --> 00:27:21,440
that report should go to every URL you

537
00:27:15,380 --> 00:27:24,080
list it there actually some browsers

538
00:27:21,440 --> 00:27:27,429
well all browsers<font color="#E5E5E5"> except firefox will</font>

539
00:27:24,080 --> 00:27:31,549
actually append the cookie if<font color="#E5E5E5"> you if</font>

540
00:27:27,429 --> 00:27:34,159
report<font color="#CCCCCC"> uri shares the if we report to</font>

541
00:27:31,549 --> 00:27:37,360
arise but has the same origin as the<font color="#E5E5E5"> web</font>

542
00:27:34,159 --> 00:27:40,070
<font color="#E5E5E5">page where policy is enforced and</font>

543
00:27:37,360 --> 00:27:42,649
although spec is defining the format of

544
00:27:40,070 --> 00:27:46,939
the<font color="#E5E5E5"> report every browser implements its</font>

545
00:27:42,649 --> 00:27:48,439
own format of the report like for

546
00:27:46,940 --> 00:27:51,049
example you<font color="#E5E5E5"> can see</font><font color="#CCCCCC"> that it's exactly</font>

547
00:27:48,440 --> 00:27:52,970
the same violation generated by<font color="#E5E5E5"> Firefox</font>

548
00:27:51,049 --> 00:27:56,179
and<font color="#E5E5E5"> Chrome and like even by the size of</font>

549
00:27:52,970 --> 00:27:58,429
<font color="#E5E5E5">the paw report you</font><font color="#CCCCCC"> can see that that</font>

550
00:27:56,179 --> 00:28:00,700
they are<font color="#CCCCCC"> different so if you are dealing</font>

551
00:27:58,429 --> 00:28:06,490
with reports ESP reporting just not

552
00:28:00,700 --> 00:28:06,490
normalize them before before processing

553
00:28:12,690 --> 00:28:26,440
oops oh sorry report is has limited

554
00:28:23,280 --> 00:28:28,420
types of data that<font color="#E5E5E5"> can that browser can</font>

555
00:28:26,440 --> 00:28:31,600
share<font color="#CCCCCC"> with the endpoint that</font><font color="#E5E5E5"> collects</font>

556
00:28:28,420 --> 00:28:34,750
the report so if you want<font color="#E5E5E5"> to add some</font>

557
00:28:31,600 --> 00:28:37,719
extra data there is no way to extend<font color="#E5E5E5"> the</font>

558
00:28:34,750 --> 00:28:40,570
report format CSP reporting format

559
00:28:37,720 --> 00:28:42,490
report format so the only way is to pass

560
00:28:40,570 --> 00:28:46,659
the data as like query string parameters

561
00:28:42,490 --> 00:28:49,450
<font color="#E5E5E5">of your CSP report actually and by the</font>

562
00:28:46,660 --> 00:28:52,000
<font color="#E5E5E5">end of the presentation I there's a link</font>

563
00:28:49,450 --> 00:28:53,620
on a blog<font color="#CCCCCC"> post on how Twitter for</font>

564
00:28:52,000 --> 00:28:56,530
example is handling reports and they are

565
00:28:53,620 --> 00:28:59,139
putting session ID in actually in the

566
00:28:56,530 --> 00:29:01,270
CSP report URI so basically<font color="#E5E5E5"> they can</font>

567
00:28:59,140 --> 00:29:02,950
tell that this<font color="#E5E5E5"> report was generated by</font>

568
00:29:01,270 --> 00:29:07,270
<font color="#E5E5E5">this browser legitimately because</font>

569
00:29:02,950 --> 00:29:08,559
otherwise like every proud like if you

570
00:29:07,270 --> 00:29:12,790
have a vulnerability in your<font color="#E5E5E5"> web page</font>

571
00:29:08,559 --> 00:29:15,520
all browsers in the world<font color="#E5E5E5"> are will start</font>

572
00:29:12,790 --> 00:29:17,250
sending to CSP reports and you cannot

573
00:29:15,520 --> 00:29:19,750
really distinguish if this report is

574
00:29:17,250 --> 00:29:25,360
legitimate or somebody is just bombing

575
00:29:19,750 --> 00:29:27,250
you with the same post messages<font color="#CCCCCC"> or post</font>

576
00:29:25,360 --> 00:29:29,110
HTTP messages that contain something

577
00:29:27,250 --> 00:29:31,390
that looks like CSP report and like it

578
00:29:29,110 --> 00:29:37,959
can be pretty big source of for example

579
00:29:31,390 --> 00:29:41,260
denial of service attacks there is

580
00:29:37,960 --> 00:29:45,610
<font color="#E5E5E5">another good feature that you</font><font color="#CCCCCC"> can</font>

581
00:29:41,260 --> 00:29:47,350
actually you can deploy<font color="#E5E5E5"> your policy in</font>

582
00:29:45,610 --> 00:29:50,500
report only mode so basically report

583
00:29:47,350 --> 00:29:52,149
only header it acts acts exactly the

584
00:29:50,500 --> 00:29:56,080
same way as content security policy

585
00:29:52,150 --> 00:29:59,740
header but<font color="#E5E5E5"> it instead of it evaluates</font>

586
00:29:56,080 --> 00:30:05,110
the your policy it evaluates it applies

587
00:29:59,740 --> 00:30:07,480
the it evaluates the violations but it

588
00:30:05,110 --> 00:30:08,919
doesn't<font color="#CCCCCC"> enforce the violations it just</font>

589
00:30:07,480 --> 00:30:10,600
generates the report it will generate

590
00:30:08,920 --> 00:30:12,130
<font color="#E5E5E5">reports in the same way</font><font color="#CCCCCC"> but it doesn't</font>

591
00:30:10,600 --> 00:30:14,230
break<font color="#CCCCCC"> the page if</font><font color="#E5E5E5"> you have a problem on</font>

592
00:30:12,130 --> 00:30:17,350
the<font color="#CCCCCC"> web page with CSP and you mistakenly</font>

593
00:30:14,230 --> 00:30:20,260
are blocking some<font color="#E5E5E5"> resource that are that</font>

594
00:30:17,350 --> 00:30:21,939
is not<font color="#E5E5E5"> supposed to be blocked the</font>

595
00:30:20,260 --> 00:30:24,100
account security policy report only will

596
00:30:21,940 --> 00:30:26,440
help so<font color="#E5E5E5"> basically the</font>

597
00:30:24,100 --> 00:30:28,209
practice is to roll out your content

598
00:30:26,440 --> 00:30:30,970
security policy as report only for a

599
00:30:28,210 --> 00:30:33,850
week and like tweak it and fix it until

600
00:30:30,970 --> 00:30:34,990
you stop receiving reports that are not

601
00:30:33,850 --> 00:30:38,379
supposed to<font color="#E5E5E5"> be there and you only</font>

602
00:30:34,990 --> 00:30:40,539
receive actual attack reports and then

603
00:30:38,380 --> 00:30:45,880
like week later you switch to actual

604
00:30:40,539 --> 00:30:47,410
content security policy Heather yeah I

605
00:30:45,880 --> 00:30:48,940
should have mentioned this in the

606
00:30:47,410 --> 00:30:52,620
beginning of<font color="#E5E5E5"> the presentation but how</font>

607
00:30:48,940 --> 00:30:56,320
why we started looking it at CSP so

608
00:30:52,620 --> 00:30:59,889
company where<font color="#E5E5E5"> I work we make a network</font>

609
00:30:56,320 --> 00:31:02,408
appliance which modifies the HTTP

610
00:30:59,890 --> 00:31:04,809
responses we can inject our own script

611
00:31:02,409 --> 00:31:06,700
into the web page or we might modify the

612
00:31:04,809 --> 00:31:10,840
actual scripts that already there and

613
00:31:06,700 --> 00:31:12,880
<font color="#E5E5E5">the web server is using CSP we need to</font>

614
00:31:10,840 --> 00:31:14,649
actually adjust the CSP before

615
00:31:12,880 --> 00:31:19,900
forwarding that HTTP response to the

616
00:31:14,650 --> 00:31:23,590
browser and it's not actually that easy

617
00:31:19,900 --> 00:31:26,080
task it's not like just concatenating or

618
00:31:23,590 --> 00:31:28,959
like I don't<font color="#E5E5E5"> know if for example if we</font>

619
00:31:26,080 --> 00:31:31,870
are introducing new origin and like if

620
00:31:28,960 --> 00:31:33,789
our appliance is adding jquery time it's

621
00:31:31,870 --> 00:31:36,520
<font color="#E5E5E5">not like you are appending just</font><font color="#CCCCCC"> jQuery</font>

622
00:31:33,789 --> 00:31:40,840
<font color="#E5E5E5">that come into the to the script source</font>

623
00:31:36,520 --> 00:31:42,929
<font color="#E5E5E5">it's it has its own rules and yeah we</font>

624
00:31:40,840 --> 00:31:45,668
decided to implement a library which

625
00:31:42,929 --> 00:31:49,000
optimizes things like has full-blown

626
00:31:45,669 --> 00:31:51,220
parser with error locations positions

627
00:31:49,000 --> 00:31:54,280
and warning positions and it can answer

628
00:31:51,220 --> 00:31:56,440
questions like the same questions as

629
00:31:54,280 --> 00:32:01,149
browser would ask a browser CSP

630
00:31:56,440 --> 00:32:05,380
implementation<font color="#E5E5E5"> would answer sorry it's</font>

631
00:32:01,150 --> 00:32:10,000
used in production so it's pretty well

632
00:32:05,380 --> 00:32:11,620
tested so yeah well what are the

633
00:32:10,000 --> 00:32:14,380
problems that our library is trying to

634
00:32:11,620 --> 00:32:16,090
solve for example when you have to merge

635
00:32:14,380 --> 00:32:17,950
two policies basically there was<font color="#E5E5E5"> a</font>

636
00:32:16,090 --> 00:32:19,480
policy<font color="#E5E5E5"> served by the web server and now</font>

637
00:32:17,950 --> 00:32:23,080
we want<font color="#CCCCCC"> to</font><font color="#E5E5E5"> merge that policy with</font>

638
00:32:19,480 --> 00:32:25,690
something<font color="#CCCCCC"> that we want</font><font color="#E5E5E5"> to add that would</font>

639
00:32:23,080 --> 00:32:27,370
be<font color="#E5E5E5"> union merging and it's not like just</font>

640
00:32:25,690 --> 00:32:29,460
this example shows it's not just

641
00:32:27,370 --> 00:32:33,780
<font color="#CCCCCC">basically coordination you have to</font>

642
00:32:29,460 --> 00:32:33,780
properly merge merge the values

643
00:32:35,379 --> 00:32:40,309
we can merge in<font color="#CCCCCC"> interstate as a we can</font>

644
00:32:38,389 --> 00:32:43,908
measure using intersection strategy also

645
00:32:40,309 --> 00:32:45,649
and this would basically mimic what the

646
00:32:43,909 --> 00:32:47,299
browser would do if<font color="#CCCCCC"> you have multiple</font>

647
00:32:45,649 --> 00:32:49,459
policies basically you have to<font color="#E5E5E5"> come up</font>

648
00:32:47,299 --> 00:32:51,860
<font color="#E5E5E5">you have two policies now you have to</font>

649
00:32:49,460 --> 00:32:55,220
come up with some third policy that

650
00:32:51,860 --> 00:32:57,320
would satisfy both policies basically so

651
00:32:55,220 --> 00:32:59,929
if you had a and policy that saying

652
00:32:57,320 --> 00:33:02,360
before source a and<font color="#CCCCCC"> B and another policy</font>

653
00:32:59,929 --> 00:33:07,429
which has default source none so non

654
00:33:02,360 --> 00:33:09,559
would win because the only URL that

655
00:33:07,429 --> 00:33:11,299
would match both policies would be like

656
00:33:09,559 --> 00:33:14,870
there is<font color="#CCCCCC"> no such URL so for example</font>

657
00:33:11,299 --> 00:33:17,658
default source would become not for

658
00:33:14,870 --> 00:33:19,729
<font color="#E5E5E5">screed source the first policy is saying</font>

659
00:33:17,659 --> 00:33:21,139
default source a be there is no streets

660
00:33:19,730 --> 00:33:22,730
or switch meaning<font color="#E5E5E5"> Street source will</font>

661
00:33:21,139 --> 00:33:24,860
derive from default source which means

662
00:33:22,730 --> 00:33:27,200
for the first policy a script source is

663
00:33:24,860 --> 00:33:29,178
also<font color="#CCCCCC"> a B and for the second one it's</font>

664
00:33:27,200 --> 00:33:31,399
star so the intersection of<font color="#E5E5E5"> them is</font>

665
00:33:29,179 --> 00:33:34,220
<font color="#CCCCCC">going</font><font color="#E5E5E5"> to be a B and like for everything</font>

666
00:33:31,399 --> 00:33:36,289
<font color="#E5E5E5">else there is no intersection so we just</font>

667
00:33:34,220 --> 00:33:39,379
get rid of<font color="#E5E5E5"> it but it's hard to manually</font>

668
00:33:36,289 --> 00:33:42,789
right and like better to use something

669
00:33:39,379 --> 00:33:45,559
like our library for example we also

670
00:33:42,789 --> 00:33:47,299
have<font color="#CCCCCC"> this website CSP validated a torque</font>

671
00:33:45,559 --> 00:33:49,908
which uses some features of the library

672
00:33:47,299 --> 00:33:52,210
on<font color="#CCCCCC"> the back end and like you can test</font>

673
00:33:49,909 --> 00:33:52,210
and

674
00:33:56,240 --> 00:34:01,280
you can either enter<font color="#CCCCCC"> URLs</font><font color="#E5E5E5"> to query</font>

675
00:33:59,480 --> 00:34:03,559
actual content security policies of some

676
00:34:01,280 --> 00:34:06,920
websites or like click that button and

677
00:34:03,559 --> 00:34:09,139
will populate a URL of a<font color="#CCCCCC"> website that</font>

678
00:34:06,920 --> 00:34:10,940
actually contains CSP to analyze later

679
00:34:09,139 --> 00:34:12,590
or you can like come<font color="#CCCCCC"> up with your own</font>

680
00:34:10,940 --> 00:34:14,899
policies and like test them on the

681
00:34:12,590 --> 00:34:18,139
<font color="#CCCCCC">website and like merge and merge using</font>

682
00:34:14,899 --> 00:34:21,679
<font color="#E5E5E5">Union strategy or intersex intersection</font>

683
00:34:18,139 --> 00:34:27,560
strategy see the<font color="#CCCCCC"> virus see the warnings</font>

684
00:34:21,679 --> 00:34:29,629
see nonsensical warnings we will also

685
00:34:27,560 --> 00:34:33,080
<font color="#E5E5E5">also optimize the policy</font><font color="#CCCCCC"> for you and you</font>

686
00:34:29,629 --> 00:34:36,319
<font color="#E5E5E5">can compare if there was actually</font>

687
00:34:33,080 --> 00:34:38,469
optimization to clip the<font color="#CCCCCC"> to place or it</font>

688
00:34:36,320 --> 00:34:46,300
was the same and you have actual like

689
00:34:38,469 --> 00:34:48,770
optimal policy there I I just said this

690
00:34:46,300 --> 00:34:51,440
actually<font color="#E5E5E5"> our website is</font><font color="#CCCCCC"> also serving the</font>

691
00:34:48,770 --> 00:34:53,600
public accountant security policy and I

692
00:34:51,440 --> 00:34:57,380
think<font color="#E5E5E5"> this</font><font color="#CCCCCC"> is an example</font><font color="#E5E5E5"> of good policy</font>

693
00:34:53,600 --> 00:34:59,960
where first you write your website so

694
00:34:57,380 --> 00:35:01,670
you don't have to have<font color="#E5E5E5"> inline scripts or</font>

695
00:34:59,960 --> 00:35:03,170
any<font color="#E5E5E5"> kind of aligned resources because</font>

696
00:35:01,670 --> 00:35:06,980
its first it's good practice it's good

697
00:35:03,170 --> 00:35:11,390
for caching so you move any scripts that

698
00:35:06,980 --> 00:35:12,859
you have to to external files oh yeah

699
00:35:11,390 --> 00:35:14,720
for example this policy covers

700
00:35:12,859 --> 00:35:21,109
everything like we cover all types of

701
00:35:14,720 --> 00:35:23,689
resources we collect our reports we

702
00:35:21,109 --> 00:35:27,170
allow only resources that we<font color="#E5E5E5"> actually</font>

703
00:35:23,690 --> 00:35:29,570
need to<font color="#E5E5E5"> load and we are trying</font><font color="#CCCCCC"> to be</font>

704
00:35:27,170 --> 00:35:31,490
like as strict as possible by like<font color="#E5E5E5"> you</font>

705
00:35:29,570 --> 00:35:34,490
start<font color="#E5E5E5"> with default source none and then</font>

706
00:35:31,490 --> 00:35:38,060
you why at<font color="#E5E5E5"> least your resources one by</font>

707
00:35:34,490 --> 00:35:40,339
one so yeah we reported like aaron owed

708
00:35:38,060 --> 00:35:45,109
more than<font color="#CCCCCC"> ten bucks to against browsers</font>

709
00:35:40,340 --> 00:35:48,740
we start helping with actual CSP spec by

710
00:35:45,109 --> 00:35:52,130
submitting<font color="#E5E5E5"> pull requests which are being</font>

711
00:35:48,740 --> 00:35:54,439
accepted sometimes yeah these are like

712
00:35:52,130 --> 00:35:57,250
good resources where you can learn<font color="#E5E5E5"> about</font>

713
00:35:54,440 --> 00:35:57,250
CSP and

714
00:35:58,220 --> 00:36:07,189
and that's pretty much it that's it and

715
00:36:05,240 --> 00:36:10,700
i'll be<font color="#CCCCCC"> happy to</font><font color="#E5E5E5"> answer any questions</font><font color="#CCCCCC"> i</font>

716
00:36:07,190 --> 00:36:14,320
understand this is<font color="#CCCCCC"> not like covering but</font>

717
00:36:10,700 --> 00:36:17,319
<font color="#E5E5E5">like any CSP related questions would be</font>

718
00:36:14,320 --> 00:36:17,320
great

719
00:36:22,540 --> 00:36:24,900
star

720
00:36:27,680 --> 00:36:31,730
so

721
00:36:29,750 --> 00:36:33,740
but the rule is a<font color="#E5E5E5"> spec is saying that</font>

722
00:36:31,730 --> 00:36:36,080
you have to<font color="#E5E5E5"> at the URL should match any</font>

723
00:36:33,740 --> 00:36:41,689
of the source expressions so if it

724
00:36:36,080 --> 00:36:43,549
matches either what do<font color="#E5E5E5"> you say star so</font>

725
00:36:41,690 --> 00:36:46,220
it's kind of nonsensical because star

726
00:36:43,550 --> 00:36:48,620
<font color="#E5E5E5">always wins because like any URL would</font>

727
00:36:46,220 --> 00:36:53,649
match star so there<font color="#E5E5E5"> is no reason</font><font color="#CCCCCC"> to</font>

728
00:36:48,620 --> 00:36:53,650
specify anything other than star kinda

729
00:36:58,260 --> 00:37:05,680
besides is there any limits of the<font color="#CCCCCC"> GSP</font>

730
00:37:02,020 --> 00:37:09,130
<font color="#CCCCCC">size spec doesn't talk about it but</font>

731
00:37:05,680 --> 00:37:11,589
browsers actually well<font color="#CCCCCC"> Chrome has</font><font color="#E5E5E5"> a</font>

732
00:37:09,130 --> 00:37:13,390
limit on HTTP header so yeah that would

733
00:37:11,589 --> 00:37:17,339
be<font color="#E5E5E5"> your limit but spec doesn't define</font>

734
00:37:13,390 --> 00:37:17,339
any limits okay thank you

735
00:37:22,800 --> 00:37:29,220
okay<font color="#CCCCCC"> I have a question</font><font color="#E5E5E5"> we've implemented</font>

736
00:37:25,530 --> 00:37:32,820
CSP some time ago and we got rid<font color="#E5E5E5"> of</font>

737
00:37:29,220 --> 00:37:36,140
report your eye because we try to<font color="#E5E5E5"> avoid</font>

738
00:37:32,820 --> 00:37:40,350
using report you arrive by malware guys

739
00:37:36,140 --> 00:37:44,879
something like we<font color="#E5E5E5"> hmm we can't we can't</font>

740
00:37:40,350 --> 00:37:48,450
fully trust the<font color="#E5E5E5"> JSON parser we wrote for</font>

741
00:37:44,880 --> 00:37:50,910
<font color="#CCCCCC">you I parser for your parser and we</font>

742
00:37:48,450 --> 00:37:53,970
would like<font color="#E5E5E5"> to ask if there any report</font>

743
00:37:50,910 --> 00:37:56,359
you write scripts ready that are quite

744
00:37:53,970 --> 00:37:59,060
<font color="#CCCCCC">good enough that are checked for</font>

745
00:37:56,360 --> 00:38:01,680
vulnerabilities and that we can use sure

746
00:37:59,060 --> 00:38:05,340
so there<font color="#E5E5E5"> are two</font><font color="#CCCCCC"> things first for</font>

747
00:38:01,680 --> 00:38:09,649
example there was a bug in<font color="#E5E5E5"> Firefox that</font>

748
00:38:05,340 --> 00:38:13,350
existed from August last year till

749
00:38:09,650 --> 00:38:16,950
October this year it was generating CSP

750
00:38:13,350 --> 00:38:19,220
reports for valid completely valid web

751
00:38:16,950 --> 00:38:23,270
pages that<font color="#E5E5E5"> contain nonce attribute and</font>

752
00:38:19,220 --> 00:38:25,890
so yeah people<font color="#CCCCCC"> were being effects</font>

753
00:38:23,270 --> 00:38:29,730
hammered by CSP report generated by

754
00:38:25,890 --> 00:38:32,009
Firefox so a lot of<font color="#CCCCCC"> people just disabled</font>

755
00:38:29,730 --> 00:38:36,830
CSP reporting at least if user agent is

756
00:38:32,010 --> 00:38:39,720
<font color="#E5E5E5">Firefox and to answer your question</font>

757
00:38:36,830 --> 00:38:41,490
there<font color="#E5E5E5"> are third-party guys that are</font>

758
00:38:39,720 --> 00:38:44,430
collecting your reports for you and

759
00:38:41,490 --> 00:38:51,839
basically they take<font color="#E5E5E5"> the risk of being</font>

760
00:38:44,430 --> 00:38:54,540
hacked it's a CSP<font color="#E5E5E5"> it's</font><font color="#CCCCCC"> get</font><font color="#E5E5E5"> sentry calm</font>

761
00:38:51,840 --> 00:38:56,460
it's paid service but they normalize the

762
00:38:54,540 --> 00:38:57,840
report for you and like they provide you

763
00:38:56,460 --> 00:39:00,150
the normalized version of everything

764
00:38:57,840 --> 00:39:02,820
<font color="#CCCCCC">yeah basically</font><font color="#E5E5E5"> they parse the JSON they</font>

765
00:39:00,150 --> 00:39:05,630
take care<font color="#CCCCCC"> of everything it's paid</font>

766
00:39:02,820 --> 00:39:09,270
there's another guy which<font color="#CCCCCC"> is free</font>

767
00:39:05,630 --> 00:39:12,330
website is CSP reporter that<font color="#E5E5E5"> I oh I</font>

768
00:39:09,270 --> 00:39:15,090
<font color="#CCCCCC">think or CSP report that I oh yeah we</font>

769
00:39:12,330 --> 00:39:16,650
use that guy report your<font color="#E5E5E5"> i dot</font><font color="#CCCCCC"> io</font><font color="#E5E5E5"> or</font>

770
00:39:15,090 --> 00:39:19,080
report you are<font color="#E5E5E5"> either yeah yeah but he</font>

771
00:39:16,650 --> 00:39:20,520
turned us off<font color="#E5E5E5"> because too many robots</font>

772
00:39:19,080 --> 00:39:23,490
traffic well yeah

773
00:39:20,520 --> 00:39:27,420
while testing in report on the mode but

774
00:39:23,490 --> 00:39:31,290
I want<font color="#E5E5E5"> to review just insert some script</font>

775
00:39:27,420 --> 00:39:34,140
and it runs as an Aurora and some

776
00:39:31,290 --> 00:39:36,240
analysts got this Aurora in his console

777
00:39:34,140 --> 00:39:38,549
for example and you<font color="#E5E5E5"> run yeah it like</font>

778
00:39:36,240 --> 00:39:41,759
scream port alert something like that

779
00:39:38,550 --> 00:39:46,740
any success if the if the report

780
00:39:41,760 --> 00:39:49,020
analyzer is written so for that actually

781
00:39:46,740 --> 00:39:51,870
spec is saying that<font color="#E5E5E5"> CSP report mime type</font>

782
00:39:49,020 --> 00:39:55,110
content<font color="#E5E5E5"> type should be application CSP</font>

783
00:39:51,870 --> 00:39:56,759
report but only chrome implements it all

784
00:39:55,110 --> 00:40:00,210
other browsers just still put a

785
00:39:56,760 --> 00:40:03,180
<font color="#E5E5E5">application that j is less Jason yeah so</font>

786
00:40:00,210 --> 00:40:05,700
when all browsers start doing it

787
00:40:03,180 --> 00:40:10,069
properly and you can tell already from

788
00:40:05,700 --> 00:40:12,779
content type and I<font color="#E5E5E5"> okay thank you yeah</font>

789
00:40:10,070 --> 00:40:15,540
yeah unfortunately it's not solved now

790
00:40:12,780 --> 00:40:17,430
and like the<font color="#CCCCCC"> only thing is</font><font color="#E5E5E5"> to outsource</font>

791
00:40:15,540 --> 00:40:23,690
it to some guys that are<font color="#CCCCCC"> ready</font><font color="#E5E5E5"> to take</font>

792
00:40:17,430 --> 00:40:23,690
the vulnerability risk

793
00:40:26,560 --> 00:40:30,190
cool thank you

794
00:40:33,960 --> 00:40:36,020
you