CSP Oddities

Explore the intricacies of Content Security Policy (CSP) in this comprehensive conference talk from the Hack In The Box Security Conference. Delve into the challenges of CSP deployment, common pitfalls, and browser compatibility issues. Discover juicy bypasses exploiting JSONP endpoints and outdated AngularJS versions on CDNs. Learn about a revolutionary approach to CSP implementation using nonces and a new CSP3 feature. Gain insights into effective CSP policy deployment, understand potential vulnerabilities, and explore how CSP adapts to modern web technologies. Presented by Michele Spagnuolo and Lukas Weichselbaum, experienced information security engineers from Google, this talk covers topics such as CSP basics, breaking CSP, whitelist models, CSP tools, nonce propagation, and browser support. Whether you're a defender or an attacker, acquire valuable knowledge to enhance your understanding of web application security.