Back To Schedule
Wednesday, January 28 • 10:30am - 11:30am
Caspr and Friends (Content-Security-Policy Reporting and Aggregation)

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Caspr, a free and open source tool for collecting, aggregating and analyzing Content-Security-Policy (CSP) violation reports was released near the end of summer. This talk will cover the background of CSP and violation reports, give an overview of Caspr and how it can be used, and then talk about some of the other tools surrounding CSP violation reports. The tools include Enforcer, a chrome extension for forcing CSP on websites, and csp-tools, a suite of tools for managing CSP reports from command line.

CSP is a relatively new HTTP header for eliminating potential XSS vulnerabilities from websites. CSP is a white list that specifies where assets are allowed to be loaded from and executed. This includes scripts that come from the same website. If the website tries to load or execute an asset that isn't on the white list, an asset being javascript, css, websockets, images, etc, the asset will be blocked.

A report-uri can be specified so that when a CSP violation occurs, a report will be sent out describing the violation. These reports can be extremely important in gauging the effectiveness and coverage of your policy.

As of the summer (2014), there weren't any popular tools for gathering these reports, or doing analysis and policy generation. And thus Caspr was born.

Caspr handles the collection, aggregation, and analysis of these reports. It runs on Heroku, so it's as simple as a button click to have your own instance of Caspr up and running.

A few tools have been released for dealing with CSP violation reports. This talk will also give a brief intro to those tools.
- Enforcer: Chrome Extension for forcing a policy on a website
- csp-tools: A suite of tools for testing/setting up/analyzing reports from command line

avatar for Stuart Larsen

Stuart Larsen

Student, Michigan Tech University
Stuart Larsen is currently a student at Michigan Technological University pursing a degree in Electrical Engineering. He's been programming for about 10 years on things from Quantum Emulators, to cat fact spamming websites, to open source security tools. Previously he worked at the... Read More →

Wednesday January 28, 2015 10:30am - 11:30am PST
Annenberg Community Beach House: Track 3 415 Pacific Coast Hwy, Santa Monica, CA 90402

Attendees (1)