Are 3rd-party scripts out to get you? CSP to the rescue!


Episode Artwork
1.0x
0% played 00:00 00:00
Jun 21 2019 27 mins   2

Do you know what the 3rd-party scripts on your website are up to? In this week’s episode of FounderQuest, the guys talk about CSP (Content Security Policy) and how it can enhance security in the browser. They also weigh adding it as a feature of Honeybadger vs. a standalone product. CSP - learn it, live it, love it, on this week's FounderQuest.

Full transcript:
Josh: 00:00 A middle of the night disruption for Ben, what is that? Like 8:30?

Starr: 00:05 Oh, somebody called the burn unit! Oh!

Announcer: 00:08 You are in a maze of twisty little passages, all alike. Time to start a fire! Crack open a can of Tab, and settle in for Founder Quest.

Starr: 00:21 It is telling that the only way we can have sick burns on Ben is to accuse him of being too productive.

Josh: 00:27 Yeah.

Ben: 00:28 It's all good.

Starr: 00:29 So you know how turkey makes you sleepy?

Ben: 00:31 Tryptophan.

Starr: 00:32 You can buy pills full of that stuff.

Josh: 00:35 I forgot about Tryptophan supplements.

Ben: 00:38 Wait, do they have pills that have both Tryptophan and Melatonin?

Starr: 00:41 No, but...

Josh: 00:43 Oh that's, that's like a cocktail.

Starr: 00:44 I don't know if I want to do that. I want to wake up in the morning eventually.

Ben: 00:49 You got to have the Tryptophan, plus the Melatonin, plus the NyQuil chaser.

Josh: 00:54 Yeah.

Starr: 00:54 And you just empty all those pill... empty all those capsules into a shot of whiskey. And then you just pound that bad boy.

Josh: 01:01 Yeah!

Ben: 01:03 Throw some Benadryl in there if you haven't... If you're still awake.

Josh: 01:06 So today, I thought it would be fun to talk about like an actual sort of feature, like I don't think we've actually shipped this feature yet. Have we?

Ben: 01:15 We kind of shipped the feature.

Josh: 01:17 We've shipped it a few times in various forms, not-

Ben: 01:22 It is not GA yet, as the big boys say.

Josh: 01:25 Oh, so if you're a VIP, you get the feature flag. Like the "you can totally use this feature".

Ben: 01:30 Exactly. If you're on the list then you get to use this feature.

Starr: 01:32 Oh, yeah.

Josh: 01:32 You did deploy... yeah, you deployed some of it, right? Or is it all of it?

Ben: 01:35 Yes, it's deployed. It's out there.

Josh: 01:35 Oh, okay.

Ben: 01:36 We could launch it today if we really felt like it. But...

Starr: 01:40 Anyway, I thought it would be fun to talk about this feature because it's something we've been discussing for literally years.

Ben: 01:47 Literally.

Starr: 01:48 I think...

Josh: 01:49 Yeah, I think about-

Starr: 01:50 I think Ben has taken a couple shots at it.

Josh: 01:52 I've taken a couple of shots at it, too.

Starr: 01:54 Damn, I feel like I should've taken some shots at it. And this feature is CSP reporting. So could somebody please tell me what the heck that is? Like what, what is CSP reporting?

Josh: 02:06 Well, CSP is content security policy reporting. Content security policy is a feature of modern browsers that allows you to alert, basically send alerts to a URL of your choice when content that you don't, that you didn't authorize is loaded on the page.

Ben: 02:30 So yeah, in addition to reporting, it also blocks that content, right? I mean, that's the primary use case, is to prevent your side from serving something that you didn't intend it to serve. Right? And so the reporting is kind of an extra benefit that you can, you can track-

Josh: 02:44 Yeah.

Ben: 02:44 ... but, you can see this in your browser. You know when you open up the console and those console errors, right? You can see if anything violates a content security policy. You can see that the browser is like, "Nope, didn't load that."

Starr: 02:56 So what, what might be... What is an example of some bad behavior that this is trying to prevent?

Ben: 03:02 So cross-site scripting is huge. So you know, you can inject some JavaScript into a vulnerable page. Let's say you have a content management system that allows you to put some user inpu...