Its great to see a large site like GitHub start work on deploying CSP. I don't know how many times I've had to argue with people about bad practices like inline event handlers. With CSP there's a way for a site to prevent them from being used.
I'm not sure if that introduces any additional attack vectors (other than somebody modifying the document in an unencrypted connection) but it's useful for when hosting statically.
Their feedback is very useful to us as we iterate on the specification and implementation of CSP. (Disclosure: I'm an editor of the CSP specification.)
CSP is great stuff. I'm using it to view RSS/Atom posts without having to go through the usual hoop-jumping to sanitize content. Why sanitize content when it's unable to do anything evil in the context of a page?
I would recommend using some kind of test in your scripting to see if it's actually working. I purposely attempt to inject a <script> tag to fiddle with a variable. If it works, I know CSP isn't functional in the browser and avoid the dangerous stuff (rendering user-generated content). Otherwise, it's full speed ahead, detailed here: http://rachelbythebay.com/w/2011/10/31/csp/
Does a page's CSP break your extension in Chrome Canary? We've done quite a bit of work to allow extensions to transparently bypass a page's policy, and I'd much prefer to fix the bugs in Chrome than for you to kill a page's policy via the WebRequest API.
I'd very much appreciate it if you could point me at things that aren't working in Canary. :)
[+] [-] dmethvin|13 years ago|reply
[+] [-] pfraze|13 years ago|reply
EDIT: updated to mimic example in post
[+] [-] ushi|13 years ago|reply
You can configure your webserver to add those headers, when hosting statically. There is no need to include it in all your pages.
nginx: add_header Content-Security-Policy "...";
[+] [-] mh-|13 years ago|reply
[+] [-] abarth|13 years ago|reply
[+] [-] thyrsus|13 years ago|reply
[+] [-] rachelbythebay|13 years ago|reply
I would recommend using some kind of test in your scripting to see if it's actually working. I purposely attempt to inject a <script> tag to fiddle with a variable. If it works, I know CSP isn't functional in the browser and avoid the dangerous stuff (rendering user-generated content). Otherwise, it's full speed ahead, detailed here: http://rachelbythebay.com/w/2011/10/31/csp/
[+] [-] byroot|13 years ago|reply
Hope it help someone.
[+] [-] mikewest|13 years ago|reply
I'd very much appreciate it if you could point me at things that aren't working in Canary. :)
[+] [-] lone-star|13 years ago|reply