fun with Content Security Policies

Is something your website can do and has included in the spectrum is hpkp (my blog) which is generally considered a nightmare and broken but other content security things are needed by some web things to work..

As kind of tls related i decided to make the zoo compatible with the more common csp’s unused here in the zoo. There are easy headers like hsts, x-frame*, set-cookie, xss and hard ones csp is hard.  I was missing a couple and thought why not.

However csp seems to allow stuff but is quite tricky to figure out the format which goes

<set header> default-src ‘self’ data: hostname; script-src * data: hostname style-src data: hostname

Chrome browser is helpful here for diagnosing stuff, although i never bothered to look at firefox’s tools.

I had to use a wildcard with our policy on the hostnane but things eventually worked.

hkpk remains something i wont touch with a bargepole for if Symantec can issue bad ev [the green ones] unauthorised then the danger becomes clear to all.