Hacker News new | ask | show | jobs
by bubble_boi 3083 days ago
Author here. Someone in a comment pointed out that you if you could get your code in express middleware (or something depended on by express middleware or similar) you could potentially alter any CSP header in the responses (if it's set in middleware before your's in the chain).
1 comments
tlrobinson 3083 days ago
Indeed. Then the middleware could also inject exfiltration JavaScript in `text/html` or `application/javascript` responses, which would work even if the app doesn’t use npm modules on the frontend.

This applies to almost any backend web framework and package manager, but the culture of micro packages in npm suits itself well to this attack.

link
tlrobinson 3083 days ago
Clearly what we need is cryptographically-signed JavaScript and CSP pinning.

(I’m only half joking)

EDIT: oh, CSP pinning is actually a thing that’s been proposed https://www.w3.org/TR/csp-pinning/

link