Hacker News new | ask | show | jobs
by relaxnow 4535 days ago
* CSP is actually the header that most security professionals are the most excited by (in my experience) as it gives you more control over what resources are and are not allowed. Especially when you're thinking of a future where you want to securely 'mash up' content, being able to set policies is essential.

* XFO, it you're doing API first there really is very little reason to frame a page. Maybe Twitter style widget support? But in that case you can have a separate URL for that.

* XCTO, yes, welcome to the 'organic' web :p

* HSTS, the first connect is difficult, maybe one day via DNSSec? But I must confess to know very little about DNSSec.
1 comments
jimktrains2 4535 days ago
I wasn't saying HSTS is useless, just pointing out one of the issues with it. I think HSTS a great thing!

With XFO, doing something like adding 'reddit.com/' before the domain to see if it's been submitted becomes much more computationally intensive on reddit's side if they can't just put it in a frame. This is where I run into issues mostly, with tools such as that. That said, there are other things it could do (take me to a submit page or a discussion page instead of framing the page). And frames suck anyway, so there is that.

I can see the usefulness in CSP, I just feel like it's a band-aid on larger problems.

link
yeukhon 4534 days ago
X-FRAME-OPTIONS I feel like the number of times this has prevented a useful action vs prevented a bad action is many:0

I am rather curious where did you get this claim? Any stories I should check?

And also what's the larger problem? Again, I'd really love to hear you elaborate on your thoughts.. thanks.

link
jimktrains2 4534 days ago
As for XFO, I specifically said that that was my opinion and my experience. I even give a specific example: adding reddit.com/ before the domain of hackernews, for instance, won't let reddit put it in a frame (in order to put the reddit toolbar above it). I've only ever encountered tools such as that breaking because of XFO.

Also, it's my user-agent, it's suppose to do what _I_ want it to do, not what the content author wants it to do, and I can't find a way to disable honoring XFO.

For CSP, one example of a larger problem would be excepting and storing unsanitized input. If it's going out to the user as (otherwise executable) javascript, are there other places that you're placing unescaped user-submitted data that could be an issue (a sql statement perhaps or the API to a site who trusted you to sanitize things (although they shouldn't)?).

link