Welcome to the full schedule of the OWASP AppSec Research EU 2013 conference days. You’ll find the schedule for the training days at http://trainings2013.appsec.eu
Back To Schedule
Thursday, August 22 • 3:55pm - 4:40pm
Content Security Policy - the panacea for XSS or placebo?

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Content Security Policy (CSP) is the mechanism to mitigate one of the most
popular web application issues called Cross-Site Scripting (XSS).
CSP is a declarative policy that allows application to inform the browser
about specific areas where application expects all resources to be loaded,
such as scripts and images.

In this presentation, we will talk about:

1. XSS. Very briefly because in 2013 pretty much everyone knows about this attack.
2. CSP. What risks this mechanism covers and what does not:

- CSP inside
- Browser support status and issues
- Policy definition mistakes and CSP common security considerations
- XSS without JS

3. Experience. How we implemented CSP on a service with an audience
more than 11 million users per week:

- Changes in servce
- Bugs in browser implementations
- Problems with 3rd party libraries
- Way from Report-Only to Block mode

avatar for Taras Ivashchenko

Taras Ivashchenko

Taras Ivashchenko - Information Security Officer at YandexFor a long time he focused on penetration tests (especially by PCI DSS standard), but his main focus has always been on web application security and web technologies in common. He is well known for his research (http://www.oxdef.info... Read More →

Thursday August 22, 2013 3:55pm - 4:40pm CEST
Großer Saal