[Owasp-leaders] 3rd Party JavaScript Management Cheatsheet

Kim Carter kim.carter at owasp.org
Fri Apr 15 18:54:07 UTC 2016


Seems to be missing a huge amount. You'll find all the missing parts in
my book (https://leanpub.com/b/holisticinfosecforwebdevelopers)


Kim Carter

OWASP New Zealand Chapter Leader (Christchurch)

Author of *Holistic Info-Sec for Web Developers*
<https://leanpub.com/b/holisticinfosecforwebdevelopers>

c: +64 274 622 607








On 16/04/16 00:59, Ryan Barnett wrote:
> New Content Security Policy (CSP) has checksum support
> - https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet#Refactoring_inline_code
>
> Additionally, I would recommend some references to the following -
>
>   * DOMPurify - https://github.com/cure53/DOMPurify
>   * MentalJS - https://github.com/hackvertor/MentalJS
>
> Both of these can be used by sites to sandbox/clean DOM data.  If
> these are called up in the HTML header prior to other 3rd party JS
> code calls, it can provide protections.
>
> -Ryan
>
> From: <owasp-leaders-bounces at lists.owasp.org
> <mailto:owasp-leaders-bounces at lists.owasp.org>> on behalf of Rogan
> Dawes <rogan at dawes.za.net <mailto:rogan at dawes.za.net>>
> Date: Friday, April 15, 2016 at 5:41 AM
> To: Kim Carter <kim.carter at owasp.org <mailto:kim.carter at owasp.org>>,
> <owasp-leaders at lists.owasp.org <mailto:owasp-leaders at lists.owasp.org>>
> Subject: Re: [Owasp-leaders] 3rd Party JavaScript Management Cheatsheet
>
> My google-fu is weak today, but I'm pretty sure I recall reading about
> a mechanism to provide a checksum of an included resource in the
> including page, such that the browser will reject any content that
> does not match the checksum. That seems like a valuable addition to
> this cheat sheet, to me.
>
>
> On Fri, Apr 15, 2016 at 10:02 AM Kim Carter <kim.carter at owasp.org
> <mailto:kim.carter at owasp.org>> wrote:
>
>     Excellent! Doesn't seem to be anything there though...
>
>
>
>
>     Kim Carter
>
>     OWASP New Zealand Chapter Leader (Christchurch)
>
>     Author of *Holistic Info-Sec for Web Developers*
>     <https://leanpub.com/b/holisticinfosecforwebdevelopers>
>
>     c: +64 274 622 607
>
>
>
>
>
>
>
>
>     On 15/04/16 09:10, Taras wrote:
>>     Hi!
>>
>>     It's a very interesting topic and good cheatsheet! My suggestions are:
>>     1. Add some code examples
>>     2. Add some diagrams to illustrate Server Direct flow
>>     3. What about using SRI (https://www.w3.org/TR/SRI/)? Can we use it
>>     here?
>>     4. What about using iframe from different domain (e.g. static data
>>     host) as "jail" for such 3rd party code? We can make communication
>>     between the host and this iframe with postMessage
>>
>>
>>     В Пн, 11/04/2016 в 16:41 -1000, Jim Manico пишет:
>>>     Hello folks,
>>>
>>>     Jim Weiler from the OWASP Boston chapter just released a cheatsheet
>>>     on 3rd party JavaScript management. I think this is a solid and very
>>>     interesting piece of work. It address a security concern which many
>>>     website operators face.
>>>
>>>     Take a look, your feedback is - as always - appreciated.
>>>
>>>     https://www.owasp.org/index.php/3rd_Party_Javascript_Management_Cheat
>>>     _Sheet
>>>
>>>     Aloha,
>>>     Jim Manico
>>>
>>>
>>>      _______________________________________________
>>>     OWASP-Leaders mailing list
>>>     OWASP-Leaders at lists.owasp.org
>>>     <mailto:OWASP-Leaders at lists.owasp.org>https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>     _______________________________________________
>>>     OWASP-Leaders mailing list
>>>     OWASP-Leaders at lists.owasp.org
>>>     <mailto:OWASP-Leaders at lists.owasp.org>https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________ OWASP-Leaders mailing
> list OWASP-Leaders at lists.owasp.org
> <mailto:OWASP-Leaders at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160416/e65ef49d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: owasp_member_emailsignature.gif
Type: image/gif
Size: 5563 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160416/e65ef49d/attachment.gif>


More information about the OWASP-Leaders mailing list