Hacker News new | ask | show | jobs
by throwawayjava 2901 days ago
> Why is CSP so under-utilized?

I think a few reasons:

1. It's not a sufficient replacement for sanitizing input. You need to sanitize; CSP is just an extra layer of protection.

2. relative new.

3. many popular frameworks don't support it out of the box.
1 comments
iancarroll 2901 days ago
The deployment difficulty is also high, especially for what it offers. Deploying CSP on anything non-trivial involves a lot of coordination with basically anyone who runs code on your site.
link
ubernostrum 2901 days ago
This is the big one.

Lots of sites have marketing departments which like to switch out their advertising, engagement, A/B testing, etc. code on a regular basis. Which in turn requires either changing the CSP frequently to accommodate, or else opening holes in the CSP to allow marketing to just copy/paste inline JS and other badness. At which point it's hard to justify CSP.

link
Jach 2901 days ago
This has been my feature work for the past couple months (I work on an enterprise site builder, basically, with some users doing what you describe -- we need to support that but hopefully with a smaller/harder to misfire footgun). There's a lot of feature complexity even after you've simplified it down, and it's kind of maddening how much effort it is to just send an extra (correct for the context) string in the response headers.

The spec versions are interesting to read too, as well as browser compatibility. Differences in interpretation of the spec lead to github issues which lead to browsers fixing things in the past few months that have been part of the spec for much longer. (And if you have a big chunk of IE11 users, "what's the point" is valid.) An example of a spec issue is that I'm working on adding an endpoint for the report-uri directive so we can log some metrics but the first thing you see when reading about report-uri is that it's been deprecated in favor of report-to, but literally no stable browser release supports report-to yet.

It's also not really enough. https://github.com/tc39/proposal-frozen-realms is a useful extension, since it would allow frameworks to do what they need to set up everything but then lock down objects from further extension/abuse...

link