GitHub's post-CSP journey

GitHub's exploration of Content Security Policy (CSP) and its subsequent enhancements demonstrate a proactive approach to web security, focusing on identifying and mitigating vulnerabilities beyond CSP's capabilities. By collaborating with Cure53, GitHub uncovered potential bypasses in their existing CSP policy and implemented additional defense strategies, such as restricting image sources and transitioning to an XHR approach for Google Analytics. They also improved CSRF protection by introducing per-form tokens and same-site cookies, countering potential exfiltration of sensitive data through injections. The company addressed gaps in their CSP by proxying Gravatar images and removing third-party sources from their img-src list, and they tackled dangling markup attacks with a nuanced mitigation strategy. Despite challenges like the peculiarities of the <plaintext> tag, GitHub's efforts have sparked broader discussions on browser-level security improvements. Their ongoing commitment to enhancing web security is further evidenced by their bug bounty program, encouraging research into bypassing their CSP policy to uncover novel vulnerabilities.