731: Client side security, XSS attacks & CSP with Stripe’s Alex Sexton
Syntax - Tasty Web Development Treats16 Feb 2024

731: Client side security, XSS attacks & CSP with Stripe’s Alex Sexton

Scott and Wes are joined by security expert, Alex Sexton of Stripe to cover all things: client security, XSS, attack vectors, and CSP (content security policy). Show Notes 00:00 Welcome to Syntax! 00:31 Brought to you by Sentry.io. 00:57 Who is Alex Sexton? 04:44 Stripe dashboard is a work of art. 05:08 Tell us about the design system. React Aria 08:59 Who develops the iOS app? 09:50 Stripe’s CSP (content security policy). 12:50 What even is a content security policy? Content Security Policy explanation 13:57 Douglas Crockford of Yahoo on security. Douglas on GitHub 15:13 Security philosophy. 16:59 What about inline styles and inline JavaScript? 19:41 How do we safely set inline styles from JS? 20:20 Setting up with meta tags. 22:52 What are common situations that require security exceptions? 26:24 Potential damage with inline style tags. 32:45 Looping vulnerabilities. 36:32 What about JavaScript injection? 37:09 Myspace Samy Worm. Myspace Samy Worm Wiki Sentry.io Security Policy Reporting 42:02 Does a CSP stop code from running in the console? 43:28 What are some general security best practices? 46:35 Strategies for rolling out a CSP. 51:49 Final tip, Strict Dynamic. Strict Dynamic 56:36 Where does the CSP live within Stripe? Original Black Friday story 59:35 One last story. 01:01:20 Sick Picks + Shameless Plugs Sick Picks + Shameless Plugs Alex: Wes Bos’ Instagram Hit us up on Socials! Syntax: X Instagram Tiktok LinkedIn Threads Wes: X Instagram Tiktok LinkedIn Threads Scott:X Instagram Tiktok LinkedIn Threads Randy: X Instagram YouTube Threads

Episoder(999)

983: Why I Chose Electron Over Native (And I’d Do It Again)

983: Why I Chose Electron Over Native (And I’d Do It Again)

Wes and Scott talk about building v_framer, Scott’s custom multi-source video recording app, and why Electron beat Tauri and native APIs for the job. They dig into MKV vs WebM, crash-proof recording, ...

2 Mar 37min

982: Bots Are Ruining the Internet

982: Bots Are Ruining the Internet

Wes and Scott talk about the latest dev news: Node enabling Temporal by default, OpenAI acquiring OpenClaw, TypeScript 6, new TanStack and Deno releases, the explosion of AI agent platforms, and more....

25 Feb 49min

981: Browsers Are Finally Catching Up (Interop 2026)

981: Browsers Are Finally Catching Up (Interop 2026)

Scott and Wes unpack Interop 2026 and the browser features finally aligning across engines, from container style queries and anchor positioning to scroll-driven animations and view transitions. They b...

23 Feb 51min

980: AI Coding Explained

980: AI Coding Explained

Wes and Scott talk about the state of AI coding in 2026—from editors and models to agents, skills, slash commands, MCPs, and more. They unpack what these things actually do, how they overlap, and how ...

18 Feb 52min

979: WebMCP: New Standard to Expose Your Apps to AI

979: WebMCP: New Standard to Expose Your Apps to AI

Scott and Wes unpack WebMCP, a new standard that lets AI interact with websites through structured tools instead of slow, bot-style clicking. They demo it, debate imperative vs declarative APIs, and s...

16 Feb 16min

978: Should A New Coder Use AI?

978: Should A New Coder Use AI?

Wes and Scott answer your questions about AI agents, learning to code with AI, pagination patterns, skilling up from outdated tech stacks, balancing side projects with family life, real-world hacking ...

11 Feb 1h 2min

977: We built a CSS Challenge platform

977: We built a CSS Challenge platform

Scott and Wes break down how they built SynHax, the real-time CSS Battle app powering the upcoming Mad CSS tournament. From SvelteKit and Zero to diffing algorithms, sync conflicts, and a last-minute ...

9 Feb 41min

976: Pi - The AI Harness That Powers OpenClaw W/ Armin Ronacher & Mario Zechner

976: Pi - The AI Harness That Powers OpenClaw W/ Armin Ronacher & Mario Zechner

Wes and Scott talk with Armin Ronacher and Mario Zechner about PI, a minimalist agent harness powering tools like OpenClaw. They unpack why Bash is “all you need,” the risks of agents, workflow adapta...

4 Feb 57min

Populært innen Politikk og nyheter

giver-og-gjengen-vg
aftenpodden
aftenpodden-usa
forklart
stopp-verden
popradet
nokon-ma-ga
rss-gukild-johaug
fotballpodden-2
lydartikler-fra-aftenposten
det-store-bildet
dine-penger-pengeradet
aftenbla-bla
hanna-de-heldige
rss-ness
rss-espen-lee-usensurert
rss-dannet-uten-piano
rss-utenrikskomiteen-med-bogen-og-grasvik
e24-podden
frokostshowet-pa-p5