Caspr, a free and open source tool for collecting, aggregating and analyzing Content-Security-Policy (CSP) violation reports was released near the end of summer. This talk will cover the background of CSP and violation reports, give an overview of Caspr and how it can be used, and then talk about some of the other tools surrounding CSP violation reports. The tools include Enforcer, a chrome extension for forcing CSP on websites, and csp-tools, a suite of tools for managing CSP reports from command line.
CSP is a relatively new HTTP header for eliminating potential XSS vulnerabilities from websites. CSP is a white list that specifies where assets are allowed to be loaded from and executed. This includes scripts that come from the same website. If the website tries to load or execute an asset that isn't on the white list, an asset being javascript, css, websockets, images, etc, the asset will be blocked.
A report-uri can be specified so that when a CSP violation occurs, a report will be sent out describing the violation. These reports can be extremely important in gauging the effectiveness and coverage of your policy.
As of the summer (2014), there weren't any popular tools for gathering these reports, or doing analysis and policy generation. And thus Caspr was born.
Caspr handles the collection, aggregation, and analysis of these reports. It runs on Heroku, so it's as simple as a button click to have your own instance of Caspr up and running.
A few tools have been released for dealing with CSP violation reports. This talk will also give a brief intro to those tools.
- Enforcer: Chrome Extension for forcing a policy on a website
- csp-tools: A suite of tools for testing/setting up/analyzing reports from command line