Posts Tagged ‘dancer’

Planning a Content-Security-Policy with Dancer

The same-origin policy is a fundamental part of the security infrastructure of the web. It prevents a web site's scripts from accessing and interacting with scripts used on other sites. This helps keep your data safe because if your bank's website gives you some data, it can only be accessed by your bank's website, and not by scripts from other websites.

That's a nice theory, it'd be a shame if some evidence happened to it.

In the real world, attackers have found ways to get around the same-origin policy to gain access to data they're not supposed to be able to access. For example, a web programmer might mistakenly include some user-provided input verbatim in the HTML of a webpage -- perhaps a username. Well, if your username is <script type="text/javascript" src=""></script>, then how is the web browser supposed to know if that was intentionally put in the HTML of the page? Same-origin policies are insufficient in the face of programmer error. Enter Content Security Policy.

A pastebin with almost no user interface

I've always favoured pastebins that let you bin a paste and nothing more - and spring to mind. I've made a Perl almost-clone of now runs WWW::Hashbang::Pastebin, a simple pastebin written with Dancer and DBIx::Class that does nothing but store your text and show it back to you. The only feature beyond that is if you append a +, you'll get line numbering (no syntax highlighting). You can use an anchor to jump to any line (click the line number), and the number for that line will be highlighted.

To interact with the pastebin, just POST with paste content in p and get the URL back in the X-Pastebin-URL HTTP header (and in the body, so curl-ing will Just Work):

curl -F 'p=<-' < /var/log/syslog

Or, use the Perl client, which provides a command-line tool to do the same thing (and also fetch paste content, given an ID).