731: Client side security, XSS attacks & CSP with Stripe’s Alex Sexton

Syntax - Tasty Web Development Treats

Wes Bos

Tech News, Technology, News

4.9 • 1.2K Ratings

🗓️ 16 February 2024

⏱️ 63 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

Scott and Wes are joined by security expert, Alex Sexton of Stripe to cover all things: client security, XSS, attack vectors, and CSP (content security policy). Show Notes 00:00 Welcome to Syntax! 00:31 Brought to you by Sentry.io. 00:57 Who is Alex Sexton? 04:44 Stripe dashboard is a work of art. 05:08 Tell us about the design system. React Aria 08:59 Who develops the iOS app? 09:50 Stripe’s CSP (content security policy). 12:50 What even is a content security policy? Content Security Policy explanation 13:57 Douglas Crockford of Yahoo on security. Douglas on GitHub 15:13 Security philosophy. 16:59 What about inline styles and inline JavaScript? 19:41 How do we safely set inline styles from JS? 20:20 Setting up with meta tags. 22:52 What are common situations that require security exceptions? 26:24 Potential damage with inline style tags. 32:45 Looping vulnerabilities. 36:32 What about JavaScript injection? 37:09 Myspace Samy Worm. Myspace Samy Worm Wiki Sentry.io Security Policy Reporting 42:02 Does a CSP stop code from running in the console? 43:28 What are some general security best practices? 46:35 Strategies for rolling out a CSP. 51:49 Final tip, Strict Dynamic. Strict Dynamic 56:36 Where does the CSP live within Stripe? Original Black Friday story 59:35 One last story. 01:01:20 Sick Picks + Shameless Plugs Sick Picks + Shameless Plugs Alex: Wes Bos’ Instagram Hit us up on Socials! Syntax: X Instagram Tiktok LinkedIn Threads Wes: X Instagram Tiktok LinkedIn Threads Scott:X Instagram Tiktok LinkedIn Threads Randy: X Instagram YouTube Threads

Transcript

Click on a timestamp to play from that location

0:00.0	Welcome to Syntax. Today we have Alex Sexton. He is an engineer from Stripe. We're here to talk about
0:05.9	CSP, content security policy and I'm pretty sure there's very few topics that we have never covered on the podcast, but I don't think we have ever covered
0:16.9	CSP, so I'm excited to talk about it today.
0:19.9	Welcome, Alex, thanks so much for coming on.
0:21.3	Of course, excited to be here. I have confirmed
0:24.0	Wes that we have never talked about CSP is not in any of our show notes. So that's
0:29.8	really good and you know you know what else we don't have less what we don't have any bugs in our
0:35.6	code because we use sentry and sentry is logging all of our bugs and errors and
0:39.8	we get to find them and fix them and that's actually not. We do have some sentry errors and we are actively working on fixing them.
0:45.8	So hey, if that sounds good to you, head on over to sentry.
0:49.3	I.O. slash syntax and give it a try.
0:51.9	You can get two months for free.
0:54.0	All right, let's get going.
0:57.0	Alex.
0:58.0	We'll introduce him first because Alex, you probably have one of the very first
1:03.4	oh g podcast and you're part of the reason why we have this podcast as well as you
1:08.5	I knew you back in the J-Cree days you had
1:11.4	several libraries you worked on I I think Modernizer, yep nope, you did the Yay-Cree
1:16.3	podcast, so you want to give yourself a bit of introduction about what you do and who you are?
1:21.6	Sure, yeah.
1:23.0	I live in Austin, Texas, and I mostly do, you know, front end
1:26.3	web development.
	...

Please login to see the full transcript.

Previous episode | Next episode

Disclaimer: The podcast and artwork embedded on this page are from Wes Bos, and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of Wes Bos and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.