The web is becoming a scarier place. Hackers are releasing fraudulent code for developers and they are being tricked into giving hackers their users important information. This is a serious issue and must be fixed. But how?
Introducing Content Security Policy, the most annoying, helpful feature on the web. For a short explanation Content Security Policy is a way to white list certain websites as trusted websites, so other websites do not have access to developers code. For example as Mike West at html5rocks.com said, "Code from https://mybank.com should only have access to https://mybank.com’s data, and https://evil.example.com should certainly never be allowed access." Now here is the annoying part. You have to make sure your resources that are coming outside your websites server are on that white list, so it requires a bit more code.
Many developers just put all their resources on their website, but that slows it down. For example Jquery and AngularJS take up space on your server, while they could be from Google's API website. With Content Security Policy you must white list the https://apis.google.com before you can actually use its resources.
The second part of Content Security Policy is that inline scripts are a big no. We all know every developer likes to cut corners and inline scripts are one of them. Hackers can take advantage of inline scripts and compromise your website. We need to start getting away from inline scripts and with Content Security Policy it is the perfect transition.
I think Content Security Policy is going to be the future. It will make the web a much more secure place where web applications can be finally compared to native applications. When the Google Chrome team says, "The web is what you make of it," It really is. We need to make the web a safer place and with Content Security Policy we can welcome the web to a much safe place. To find out more about Content Security Policy visit html5rocks' article http://www.html5rocks.com/en/tutorials/security/content-security-policy/
No comments:
Post a Comment