I had trouble with Content-Security-Policy reporting on a password protected staging environment in combination with Firefox. I found a nice solution and blogged about it:
Why has #CSP-style (channels) programming using (asynchronous) #javascript generators in JavaScript not really been pursued or advanced? The projects I have found on this topic have not been updated or maintained for years, which I think is a shame. People interested in #golang or #clojure should actually feel at home here.
Does anyone else spend a lot of time thinking about what the developer experience of a pure #CSP could be? I think the immediate issue is the language itself needs to have CSP primitives baked in and not layered on (no matter how cool the party trick). I say this because the debugging experience can’t be wading through state machines you did not write yourself. Exene (written in concurrent ML) is only prior art I am aware of. Maybe #plan9 stuff?
#Sharkey's recent vulnerability and their handling of it is still miles better than #Lemmy's #XSS exploit which actually took down a big instance and is something even more elementary than what Sharkey experienced.
Like seriously, the first thing you do when #Markdown parsing is involved is to sanitize the hell out of it, both in the Markdown input and the HTML output. And you put up a strict #CSP for good measure. Lemmy spectacularly failed on both counts, despite existing as a project for years and a lot more instances (and therefore users, which rivals #Mastodon) using their software!
I can cut some slack for the Sharkey devs here because:
they're relatively new (only months since the project started)
it only affected note imports from #Twitter which is already niche enough
it was easy to mitigate (just disable note import)
it didn't affect single-user instances IIUC
I haven't seen any Sharkey instance get actually exploited by this
they're taking steps to make sure this shit doesn't happen again (haven't seen this from Lemmy yet, and last I checked their CSP is still shit)
So this is not worth blowing over in the #fediverse. Your assessment is exaggerated, this energy could've been spent somewhere else, and you owe the Sharkey devs an apology.
Got a Q on how I pick my colors over on bluesky, and while I wouldn't claim myself a color whiz (my process always involves a lot of crying, screaming, throwing up, trial and error until something sticks) let me introduce fellow CSP users to the "Intermediate Color" and "Approximate Color" tools.
Those two help me a lot once I figured out the basics. #MastoArt#CSP
Then it just worked on my M2 without so much as a warning. Not a battle I want to fight tonight, but I would happily check out your middleware though. 🙏
It champions #TonyHoare's #CSP model of concurrency which takes me back. Back to the time I failed to get funding for a start-up to build an #Occam compiler targeting i386. Which was largely a ploy to get the UK government to buy me some neat kit 🤷♂️
@M0CUV
The reason that your work is so interesting to me, is that I am huge fan of #CSP, Communicating sequential processors. #GoLang, #LuaLang and Python's #gevent are all based on CSP.. Modern cpu's do not support it well. The transputer supported it. We need Forth processors running CSP.
#ReleaseThursday As promised, a new version of https://thi.ng/fibers is out now and includes several new fiber operators/combinators and all the essentials for channel-based communication between processes/fibers (aka #CSP). The CSP channel supports arbitrary buffer sizes & implementations to achieve a range of blocking/non-blocking behaviors for reads/writes. And because all channel ops (read/write/close) are fiber-based, they can also be combined with all the other available operators, enabling some pretty powerful and expressive usage patterns...
More demos & tutorial forthcoming. Check the readme, API docs & examples and please report back with any feedback/questions/suggestions...
After some friendly inquiry by @computersandblues, I spent a few hours today adding basic CSP (#CommunicatingSequentialProcesses) primitives for https://thi.ng/fibers and writing some preliminary documentation. I'm amazed how simple (and easy!) it was this time around (compared to https://thi.ng/csp) and it's giving me big hopes for the fiber based approach in general...
Since #TYPO3 v12 there is native support for #CSP. Oliver Hader now explains „Content Security Policy - Concept, Strategies & Pitfalls“ during the TYPO3 Developer Days. #T3DD23#T3DD
@brotkrueml@danielsiepmann @muckz @eric_maechler@wowa_TYPO3
Chris Müller hat mich schließlich in die richtige Richtung geschupst: Meine #typo3#csp Regel zu ‘script-src’ hätte doch greifen können, wenn ich die vorhandenen nicht erweitert, sondern mit "mode: set" überschrieben hätte. Hilfreich war dabei auch die deutlich aussagekräftigere Fehlermeldung im Chrome.