Hacker News new | past | comments | ask | show | jobs | submit login

I don't think CSP could have prevented this? Facebook.com is already CSP enabled, but CSP only prevents cross-origin injection of certain resource types (images, scripts, Javascript). This attack originated from Facebooks own domain and was served (well, sniffed) as HTML.

Anyway, CSP clearly isn't useless... but try deploying it on your average Wordpress blog sometime.




> CSP only prevents cross-origin injection of certain resource types (images, scripts, Javascript).

Are you sure ONLY? Enable CSP on a XSS-vulnerable website, send a payload, CSP prevents XSS from executing if your policy say so.


> Anyway, CSP clearly isn't useless... but try deploying it on your average Wordpress blog sometime.

What issues have you found with this?


Not OP, but my guess is random plugins stop working with strict (i.e. secure) policies, if they weren't written with CSP in mind.


Its not really plugins. The vast majority of wordpress themes out there come with inline css, inline javascript, and prebaked dependencies on things like jquery and google fonts hosted on 3rd party CDNs.


Bad for development time but good for security then I'd guess.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: