Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How can we help CSP gain more adoption with Web Developers #3

Open
torgo opened this issue Aug 26, 2024 · 6 comments
Open

How can we help CSP gain more adoption with Web Developers #3

torgo opened this issue Aug 26, 2024 · 6 comments

Comments

@torgo
Copy link
Collaborator

torgo commented Aug 26, 2024

There was a paper from 2020 https://publications.cispa.saarland/2986/1/roth2020csp.pdf (ref from @simoneonofri). There's documentation out there e.g. on MDN. There are tools out there. So what is missing to help CSP gain more adoption with web developers?
@simoneonofri
Copy link
Collaborator

this is also a point for WebAppSec @ TPAC and from minutes:

Would like to talk about making CSP Next better, but not sure the people there at TPAC are the folks we need to get feedback from. Need to talk to folks who tried to use it and failed, etc. Web developers. Want to get them interested in giving usability feedback

@torgo torgo mentioned this issue Aug 27, 2024
Open
@torgo
Copy link
Collaborator Author

torgo commented Aug 27, 2024
edited
Loading

Also noting that there is CSP content in the 121 free course that OpenSSF provides: https://training.linuxfoundation.org/training/developing-secure-software-lfd121/ Maybe that could be one way to help drive CSP adoption.

@simoneonofri
Copy link
Collaborator

Yes, documentation and training are both important. Maybe we can use W3Cx, too. @marieforgue, can you explain how it works?

@marieforgue
Copy link

We need a course proposal listing the rationale, the content outline, the teacher(s)/trainer(s) profile(s), a budget (p/m), the timeline, etc.
No such courses on edX - see https://www.edx.org/search?q=content+security+policy&tab=course&subject=Computer+Science
Btw, I found this course 'under development': https://content-security-policy.com/training/ (check the course outline - wdyt?).

@aaronshim
Copy link

Hi! Perhaps a philosophical question around how this issue title is phrased-- have we all decided that having courses is the best way forward for getting more developer mind share for adopting CSP?

I think a course is a wonderful idea, but at the same time, I wonder what other ideas we can throw on the wall here-- for instance, one that I would like to see happen is increasing the number of frameworks that make it easy to have a low-to-no-config safe-by-default CSP enforcement option to simplify some of the complexity (that we need a course to clarify).

@simoneonofri
Copy link
Collaborator

Hi! Perhaps a philosophical question around how this issue title is phrased-- have we all decided that having courses is the best way forward for getting more developer mind share for adopting CSP?

I think a course is a wonderful idea, but at the same time, I wonder what other ideas we can throw on the wall here-- for instance, one that I would like to see happen is increasing the number of frameworks that make it easy to have a low-to-no-config safe-by-default CSP enforcement option to simplify some of the complexity (that we need a course to clarify).

I think you is a wonderful idea, framework and education as a "pincer".

I am collecting some feedback from the broader community: there are often inline things and developers needs to understand how to manage in a seamless way (no-code?) [the indicator is when we found unsafe-inline and unsafe-eval] and how to hash quickly the scripts.

@wbamberg wbamberg mentioned this issue Sep 9, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@torgo @simoneonofri @aaronshim @marieforgue