webbkoll icon indicating copy to clipboard operation
webbkoll copied to clipboard

Published 20 hours ago verified publisher icon andersju

Validation of CSP

Open bfg1981 opened this issue 3 years ago • 2 comments

I had a server with an invalid CSP header. I got a lot of strange errors until I figured out the main culprit. It would be beneficial to make sure that the values checked are actually syntactically correct, before checking them for privacy/security. This probably applies to other values as well.

bfg1981 avatar Mar 14 '21 14:03 bfg1981

Agreed. I'm already planning to move most analysis stuff to the JS "backend" part. This should make it easier to add validation because it looks there are a bunch of CSP validation/parsing things in the Node.js world. (Our current code is an Elixir reimplementation of the CSP stuff from https://github.com/mozilla/http-observatory, whose future seems uncertain because the author left Mozilla several months ago and nobody has done anything since.)

andersju avatar Mar 15 '21 20:03 andersju

I had a look at the code, but decided that I didn't want to learn Elixir. I'm already working on some Puppeteer stuff, so if you move to Node, I'll probably be able to do some patching on my own.

bfg1981 avatar Mar 16 '21 11:03 bfg1981