Understanding Content Security Policy in Web Development

Scott and Wes are joined by security expert, Alex Sexton of Stripe to cover all things: client security, XSS, attack vectors, and CSP (content security policy).

• 00:00 Welcome to Syntax!
• 00:31 Brought to you by Sentry.io.
• 00:57 Who is Alex Sexton?
• 04:44 Stripe dashboard is a work of art.
• 05:08 Tell us about the design system.
• React Aria
• 08:59 Who develops the iOS app?
• 09:50 Stripe’s CSP (content security policy).
• 12:50 What even is a content security policy?
• Content Security Policy explanation
• 13:57 Douglas Crockford of Yahoo on security.
• Douglas on GitHub
• 15:13 Security philosophy.
• 16:59 What about inline styles and inline JavaScript?
• 19:41 How do we safely set inline styles from JS?
• 20:20 Setting up with meta tags.
• 22:52 What are common situations that require security exceptions?
• 26:24 Potential damage with inline style tags.
• 32:45 Looping vulnerabilities.
• 36:32 What about JavaScript injection?
• 37:09 Myspace Samy Worm.
• Myspace Samy Worm Wiki
• Sentry.io Security Policy Reporting
• 42:02 Does a CSP stop code from running in the console?
• 43:28 What are some general security best practices?
• 46:35 Strategies for rolling out a CSP.
• 51:49 Final tip, Strict Dynamic.
• Strict Dynamic
• 56:36 Where does the CSP live within Stripe?
• Original Black Friday story
• 59:35 One last story.
• 01:01:20 Sick Picks + Shameless Plugs

• Alex: Wes Bos’ Instagram

Syntax: X Instagram Tiktok LinkedIn Threads

Wes: X Instagram Tiktok LinkedIn Threads

Scott:X Instagram Tiktok LinkedIn Threads

Randy: X Instagram YouTube Threads