Scott and Wes are joined by security expert, Alex Sexton of Stripe to cover all things: client security, XSS, attack vectors, and CSP (content security policy).
Show Notes
00:00 Welcome to Syntax!
00:31 Brought to you by Sentry.io.
00:57 Who is Alex Sexton?
04:44 Stripe dashboard is a work of art.
05:08 Tell us about the design system.
08:59 Who develops the iOS app?
09:50 Stripe's CSP (content security policy).
12:50 What even is a content security policy?
13:57 Douglas Crockford of Yahoo on security.
15:13 Security philosophy.
16:59 What about inline styles and inline JavaScript?
19:41 How do we safely set inline styles from JS?
20:20 Setting up with meta tags.
22:52 What are common situations that require security exceptions?
26:24 Potential damage with inline style tags.
32:45 Looping vulnerabilities.
36:32 What about JavaScript injection?
37:09 Myspace Sammy Worm.
42:02 Does a CSP stop code from running in the console?
43:28 What are some general security best practices?
46:35 Strategies for rolling out a CSP.
51:49 Final tip, Strict Dynamic.
56:36 Where does the CSP live within Stripe?
59:35 One last story.
01:01:20 Sick Picks + Shameless Plugs
All links available at syntax.fm/731
------------------------------------------------------------------------------
Hit us up on Socials!
Scott: / stolinski
Wes: / wesbos
Randy: / @randyrektor
Syntax: / syntaxfm
www.syntax.fm
Brought to you by Sentry.io
#webdevelopment #webdeveloper #javascript