731: Client side security, XSS attacks & CSP with Stripe’s Alex Sexton
Feb 16, 2024•1 hr 3 min
Listen to this episode in Metacast mobile app
Don't just listen to podcasts. Learn from them with transcripts, summaries, and chapters for every episode. Skim, search, and bookmark insights. Learn more
Episode description
Scott and Wes are joined by security expert, Alex Sexton of Stripe to cover all things: client security, XSS, attack vectors, and CSP (content security policy).
Show Notes- 00:00 Welcome to Syntax!
- 00:31 Brought to you by Sentry.io.
- 00:57 Who is Alex Sexton?
- 04:44 Stripe dashboard is a work of art.
- 05:08 Tell us about the design system.
- React Aria
- 08:59 Who develops the iOS app?
- 09:50 Stripe’s CSP (content security policy).
- 12:50 What even is a content security policy?
- Content Security Policy explanation
- 13:57 Douglas Crockford of Yahoo on security.
- Douglas on GitHub
- 15:13 Security philosophy.
- 16:59 What about inline styles and inline JavaScript?
- 19:41 How do we safely set inline styles from JS?
- 20:20 Setting up with meta tags.
- 22:52 What are common situations that require security exceptions?
- 26:24 Potential damage with inline style tags.
- 32:45 Looping vulnerabilities.
- 36:32 What about JavaScript injection?
- 37:09 Myspace Samy Worm.
- Myspace Samy Worm Wiki
- Sentry.io Security Policy Reporting
- 42:02 Does a CSP stop code from running in the console?
- 43:28 What are some general security best practices?
- 46:35 Strategies for rolling out a CSP.
- 51:49 Final tip, Strict Dynamic.
- Strict Dynamic
- 56:36 Where does the CSP live within Stripe?
- Original Black Friday story
- 59:35 One last story.
- 01:01:20 Sick Picks + Shameless Plugs
- Alex: Wes Bos’ Instagram
Syntax: X Instagram Tiktok LinkedIn Threads
Wes: X Instagram Tiktok LinkedIn Threads
For the best experience, listen in Metacast app for iOS or Android