<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;"><div><div>New Content Security Policy (CSP) has checksum support - <a href="https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet#Refactoring_inline_code">https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet#Refactoring_inline_code</a></div><div><br></div><div>Additionally, I would recommend some references to the following -</div><ul><li>DOMPurify - <a href="https://github.com/cure53/DOMPurify">https://github.com/cure53/DOMPurify</a></li><li>MentalJS - <a href="https://github.com/hackvertor/MentalJS">https://github.com/hackvertor/MentalJS</a></li></ul><div>Both of these can be used by sites to sandbox/clean DOM data.  If these are called up in the HTML header prior to other 3rd party JS code calls, it can provide protections.</div><div><br></div><div>-Ryan</div><div><br></div></div><span id="OLK_SRC_BODY_SECTION"><div style="font-family:Calibri; font-size:12pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt"><span style="font-weight:bold">From: </span> <<a href="mailto:owasp-leaders-bounces@lists.owasp.org">owasp-leaders-bounces@lists.owasp.org</a>> on behalf of Rogan Dawes <<a href="mailto:rogan@dawes.za.net">rogan@dawes.za.net</a>><br><span style="font-weight:bold">Date: </span> Friday, April 15, 2016 at 5:41 AM<br><span style="font-weight:bold">To: </span> Kim Carter <<a href="mailto:kim.carter@owasp.org">kim.carter@owasp.org</a>>, <<a href="mailto:owasp-leaders@lists.owasp.org">owasp-leaders@lists.owasp.org</a>><br><span style="font-weight:bold">Subject: </span> Re: [Owasp-leaders] 3rd Party JavaScript Management Cheatsheet<br></div><div><br></div><div dir="ltr">My google-fu is weak today, but I'm pretty sure I recall reading about a mechanism to provide a checksum of an included resource in the including page, such that the browser will reject any content that does not match the checksum. That seems like a valuable addition to this cheat sheet, to me.<div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Apr 15, 2016 at 10:02 AM Kim Carter <<a href="mailto:kim.carter@owasp.org">kim.carter@owasp.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    Excellent! Doesn't seem to be anything there though...<br>
    <br>
    <img src="cid:part1.06040004.09080001@owasp.org" alt=""><br>
    <br>
    <br>
    <div>
      <div> <img src="cid:part2.07070008.05020908@owasp.org" style="margin:0 20px 20px 0;display:inline;float:left">
        <div style="float:left;margin-top:0px">
          <p style="display:block;margin:0px;color:#4a5da1;font-size:16px;font-weight:800;margin:0 0 5px 0">Kim
            Carter</p>
          <p style="display:block;color:#4a5da1;font-size:12px;margin:0 0 5px 0">OWASP New Zealand Chapter Leader
            (Christchurch)</p>
          <p style="display:block;color:#4a5da1;font-size:12px;margin:0 0 5px 0">Author of <a href="https://leanpub.com/b/holisticinfosecforwebdevelopers" target="_blank"><b>Holistic
                Info-Sec for Web Developers</b></a></p>
          <p style="display:block;color:#4a5da1;margin:0 0 5px 0"> <abbr title="cellular phone" style="font-weight:800">c:</abbr>
            <span> +64 274 622 607</span> </p>
        </div>
      </div>
    </div></div><div bgcolor="#FFFFFF" text="#000000">
    <div><br>
      <br>
      <br>
      <br>
      <br>
      <br>
      <br>
      On 15/04/16 09:10, Taras wrote:<br>
    </div>
    <blockquote type="cite">
      <pre>Hi!

It's a very interesting topic and good cheatsheet! My suggestions are:
1. Add some code examples
2. Add some diagrams to illustrate Server Direct flow
3. What about using SRI (<a href="https://www.w3.org/TR/SRI/" target="_blank">https://www.w3.org/TR/SRI/</a>)? Can we use it
here?
4. What about using iframe from different domain (e.g. static data
host) as "jail" for such 3rd party code? We can make communication
between the host and this iframe with postMessage


В Пн, 11/04/2016 в 16:41 -1000, Jim Manico пишет:
</pre>
      <blockquote type="cite">
        <pre>Hello folks,

Jim Weiler from the OWASP Boston chapter just released a cheatsheet
on 3rd party JavaScript management. I think this is a solid and very
interesting piece of work. It address a security concern which many
website operators face.

Take a look, your feedback is - as always - appreciated.

<a href="https://www.owasp.org/index.php/3rd_Party_Javascript_Management_Cheat" target="_blank">https://www.owasp.org/index.php/3rd_Party_Javascript_Management_Cheat</a>
_Sheet

Aloha,
Jim Manico


 _______________________________________________
OWASP-Leaders mailing list
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a></pre>
        <br>
        <fieldset></fieldset>
        <br>
        <pre>_______________________________________________
OWASP-Leaders mailing list
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a></pre>
      </blockquote>
    </blockquote>
    <br>
  </div>

_______________________________________________<br>
OWASP-Leaders mailing list<br><a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br><a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" rel="noreferrer" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br></blockquote></div>
_______________________________________________
OWASP-Leaders mailing list
<a href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</span></body></html>