Wie baue ich eine Content Security Policy (CSP) die nicht die ganze Webseite kaputt macht? :D

#ContentSecurityPolicy #CSP #ITSicherheit #Webseiten #Website #Followerpower

At least adding a "sandbox" #ContentSecurityPolicy shouldn't cause any additional issues (though I can't vouch for whether it'll break anything in this particular case).

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox

#Pleroma

Today I learned about Google's CSP evaluator.

Feed it a Content Security Policy or a link to a website where it can infer one, and it will evaluate it.

https://csp-evaluator.withgoogle.com/

#ContentSecurityPolicy #CSP

Looking into the current state-of-the-art for #NodeJS security and I'm kind of baffled by how primitive it is compared to browsers.

* No #TrustedTypes.
* No `SafeHtml`.
* No #ContentSecurityPolicy.
* No permission abstractions.
* Not even a way to ban `eval()`.

Best thing I've found is `--frozen-intrinsics`, which is interesting, and I don't think there's a browser equivalent. You still have to freeze `globalThis` though to get much value out of it.

https://nodejs.org/en/docs/guides/security/#monkey-patching-cwe-349

There are also some interesting security policies, which look like they have a lot of potential. However they're all experimental right now and seem focused on code integrity.

https://nodejs.org/api/permissions.html

This this really the state-of-the-art for #Node security right now? Am I missing something?

Content Security Policy is a framework of modern-ish browsers used to give applications an extra layer of security! In this week's blog, we introduce the concept of Content Security Policy and teach some of the technical aspects!

https://www.jumpingrivers.com/blog/content-security-policy-shiny-posit-connect/

#Security #RStats #r #ContentSecurity #csp #ContentSecurityPolicy #community #blog #Shiny

Argh, just spent far too long debugging my CSP settings to figure out why my scripts don't run.
Answer: Browsers really dislike unpadded base64 in the script-src 'sha...' directive and silently reject it, but Digest::SHA generates base64 without padding. (Sure, it's documented ... if you know what you're looking for.)

Solution: Add padding manually.

use Digest::SHA qw(sha256_base64);
my $script_hash = sha256_base64($script_code);
$script_hash .= '=' x (-length($script_hash) % 4); # padding!

#CSP #ContentSecurityPolicy #Base64 #Perl

In 5 years of trying to use a #ContentSecurityPolicy on audioboom.com I don’t believe it’s ever protected us against anything, just flooded me with error reports from bad browser extensions and caused a lot of busywork trying to get thirdparty packages to support nonces, avoid eval() etc. Am I just doing it wrong?

In 5 years of trying to use a #ContentSecurityPolicy on audioboom.com I don’t believe it’s ever protected us against anything, just flooded me with error reports from bad browser extensions and caused a lot of busywork trying to getting third parties to support nonces, avoid eval() etc. Am I just doing it wrong?

New #AdobeAnalytics client migrated from GA, but apparently with the wrong agency, even though they brand themselves with Adobe know-how: All requests go to 2o7 .net lol - and the #ContentSecurityPolicy blocks them, so it might not matter... #epicFail

Using a hash to allow inline scripts in a #ContentSecurityPolicy https://www.bryanbraun.com/2021/08/10/allowing-inline-scripts-in-your-content-security-policy-using-a-hash/ - very useful if you have inline scripts in a react app, since 'unsafe-inline' is... well, unsafe! and 'nonce' works only when the page is rendered server-side

Any recommendations regarding #Wordpress and setting up its #ContentSecurityPolicy to work smoothly with multiple domains?

Tried to do it manually but failed misserably trying to prevent using 'unsafe-inline'.

:blobcatdizzy: #ContentSecurityPolicy #Wordpress & me won't be friends today. 😭

2/2 Also in der .css-Datei eine Klasse angeben wie: .mytablestyle { width: 100%; } oder für td .mytdclass { width: 40%; } usw. für weitere td. Und dann nur im HTML table class="mytablestyle" oder td class="sometdclass". Meines Wissens braucht es im HTML td die class= nur einmal, um die gleiche Spalte in allen Zeilen (tr) gleich breit zu haben. Für die meisten wohl klar, oder? Jemand bessere Lösungen?
#contentsecuritypolicy #css #csp

1/2 Von wegen unschönen Tabellen, die wir ja sparsam verwenden (zu mir selber) ... Inline #CSS bei #CSP style-src: Inline CSS Styles gehen bei Content-Security-Policy, insbesondere style-src self natürlich nicht. Die Lösung ist klar: Styles sowieso nicht inline. Gehören in die CSS-Datei. Aber gerade bei Tabellen möchte man mit colspan und col die Spaltenbreite (td) mit einem Prozentwert angeben. Oder die Tabelle 100 % width oder so.
#contentsecuritypolicy

New post: how I implemented a content security policy on a static website built with #Jekyll, hosted on #Netlify and loaded with several external embeds.

Full code available, including example with Bandcamp embeds and webmentions.

#contentsecuritypolicy

https://minutestomidnight.co.uk/blog/content-security-policy/

Google Chrome Browser Bug Exposes Billions of Users to Data Theft - The vulnerability allows attackers to bypass Content Security Policy (CSP) protections and steal d... https://threatpost.com/google-chrome-bug-data-theft/158217/ #contentsecuritypolicy #securityvulnerability #vulnerabilities #cve-2020-6519 #websecurity #datatheft #chromium #bypass #chrome #google #csp

@sheogorath

Nice write-up!

The Firefox Laboratory extension to generate CSP header content while browsing a site is very helpful:
https://addons.mozilla.org/firefox/addon/laboratory-by-mozilla/

Another resource I also found useful is https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html

#HTTP #ContentSecurityPolicy #CSP

Crafty Web Skimming Domain Spoofs “https” - Earlier today, KrebsOnSecurity alerted the 10th largest food distributor in the United States that o... more: https://krebsonsecurity.com/2020/03/crafty-web-skimming-domain-spoofs-https/ #grandwesternsteaks.com #contentsecuritypolicy #subresourceintegrity #alittlesunshine #cheneybros.inc. #thecomingstorm #denissinegubko #jeromesegura #malwarebytes #webfraud2.0 #privacy.com #ryanbarnett #publicwww #akamai #.ps

Crafty Web Skimming Domain Spoofs “https” https://krebsonsecurity.com/2020/03/crafty-web-skimming-domain-spoofs-https/ #grandwesternsteaks.com #contentsecuritypolicy #SubresourceIntegrity #ALittleSunshine #CheneyBros.Inc. #TheComingStorm #DenisSinegubko #JeromeSegura #Malwarebytes #WebFraud2.0 #privacy.com #RyanBarnett #publicwww #Akamai #.ps

RT @lbrunet_com@twitter.com

Retrouvez-moi pour une plongée dans les CSP https://www.youtube.com/watch?v=UMZKf9KG3B0 🤟

#breizhcamp #ContentSecurityPolicy #CSP

🐦🔗: https://twitter.com/lbrunet_com/status/1123837850540228609