Open torgo opened 2 weeks ago
simoneonofri
commented
2 weeks ago this is also a point for WebAppSec @ TPAC and from minutes:
Would like to talk about making CSP Next better, but not sure the people there at TPAC are the folks we need to get feedback from. Need to talk to folks who tried to use it and failed, etc. Web developers. Want to get them interested in giving usability feedback
torgo
commented
2 weeks ago Also noting that there is CSP content in the 121 free course that OpenSSF provides: https://training.linuxfoundation.org/training/developing-secure-software-lfd121/ Maybe that could be one way to help drive CSP adoption.
simoneonofri
commented
2 weeks ago Yes, documentation and training are both important. Maybe we can use W3Cx, too. @marieforgue, can you explain how it works?
marieforgue
commented
2 weeks ago We need a course proposal listing the rationale, the content outline, the teacher(s)/trainer(s) profile(s), a budget (p/m), the timeline, etc. No such courses on edX - see https://www.edx.org/search?q=content+security+policy&tab=course&subject=Computer+Science Btw, I found this course 'under development': https://content-security-policy.com/training/ (check the course outline - wdyt?).
aaronshim
commented
2 weeks ago Hi! Perhaps a philosophical question around how this issue title is phrased-- have we all decided that having courses is the best way forward for getting more developer mind share for adopting CSP?
I think a course is a wonderful idea, but at the same time, I wonder what other ideas we can throw on the wall here-- for instance, one that I would like to see happen is increasing the number of frameworks that make it easy to have a low-to-no-config safe-by-default CSP enforcement option to simplify some of the complexity (that we need a course to clarify).
simoneonofri
commented
2 weeks ago Hi! Perhaps a philosophical question around how this issue title is phrased-- have we all decided that having courses is the best way forward for getting more developer mind share for adopting CSP?
I think a course is a wonderful idea, but at the same time, I wonder what other ideas we can throw on the wall here-- for instance, one that I would like to see happen is increasing the number of frameworks that make it easy to have a low-to-no-config safe-by-default CSP enforcement option to simplify some of the complexity (that we need a course to clarify).
I think you is a wonderful idea, framework and education as a "pincer".
I am collecting some feedback from the broader community: there are often inline things and developers needs to understand how to manage in a seamless way (no-code?) [the indicator is when we found unsafe-inline and unsafe-eval] and how to hash quickly the scripts.
There was a paper from 2020 https://publications.cispa.saarland/2986/1/roth2020csp.pdf (ref from @simoneonofri). There's documentation out there e.g. on MDN. There are tools out there. So what is missing to help CSP gain more adoption with web developers?