Lukas@jugendforumNRW · @lukas
66 followers · 343 posts · Server social.lukas-schieren.de

Wie baue ich eine Content Security Policy (CSP) die nicht die ganze Webseite kaputt macht? :D

#contentsecuritypolicy #csp #itsicherheit #webseiten #website #followerpower

Last updated 1 year ago

mkj · @mkj
64 followers · 980 posts · Server social.linux.pizza

At least adding a "sandbox" shouldn't cause any additional issues (though I can't vouch for whether it'll break anything in this particular case).

developer.mozilla.org/en-US/do

#contentsecuritypolicy #pleroma

Last updated 1 year ago

Toby · @tosbourn
78 followers · 663 posts · Server masto.ai

Today I learned about Google's CSP evaluator.

Feed it a Content Security Policy or a link to a website where it can infer one, and it will evaluate it.

csp-evaluator.withgoogle.com/

#contentsecuritypolicy #csp

Last updated 2 years ago

Doug Parker · @develwithoutacause
199 followers · 594 posts · Server techhub.social

Looking into the current state-of-the-art for security and I'm kind of baffled by how primitive it is compared to browsers.

* No .
* No `SafeHtml`.
* No .
* No permission abstractions.
* Not even a way to ban `eval()`.

Best thing I've found is `--frozen-intrinsics`, which is interesting, and I don't think there's a browser equivalent. You still have to freeze `globalThis` though to get much value out of it.

nodejs.org/en/docs/guides/secu

There are also some interesting security policies, which look like they have a lot of potential. However they're all experimental right now and seem focused on code integrity.

nodejs.org/api/permissions.htm

This this really the state-of-the-art for security right now? Am I missing something?

#nodejs #trustedtypes #contentsecuritypolicy #node

Last updated 2 years ago

Jumping Rivers · @jumpingrivers
256 followers · 48 posts · Server fosstodon.org

Content Security Policy is a framework of modern-ish browsers used to give applications an extra layer of security! In this week's blog, we introduce the concept of Content Security Policy and teach some of the technical aspects!

jumpingrivers.com/blog/content

#security #rstats #r #ContentSecurity #csp #contentsecuritypolicy #community #blog #shiny

Last updated 2 years ago

· @barubary
34 followers · 447 posts · Server infosec.exchange

Argh, just spent far too long debugging my CSP settings to figure out why my scripts don't run.
Answer: Browsers really dislike unpadded base64 in the script-src 'sha...' directive and silently reject it, but Digest::SHA generates base64 without padding. (Sure, it's documented ... if you know what you're looking for.)

Solution: Add padding manually.

use Digest::SHA qw(sha256_base64);
my $script_hash = sha256_base64($script_code);
$script_hash .= '=' x (-length($script_hash) % 4); # padding!

#csp #contentsecuritypolicy #base64 #perl

Last updated 2 years ago

Jonathan del Strother · @JdelStrother
30 followers · 38 posts · Server mastodon.social

In 5 years of trying to use a on audioboom.com I don’t believe it’s ever protected us against anything, just flooded me with error reports from bad browser extensions and caused a lot of busywork trying to get thirdparty packages to support nonces, avoid eval() etc. Am I just doing it wrong?

#contentsecuritypolicy

Last updated 2 years ago

Jonathan del Strother · @JdelStrother
30 followers · 38 posts · Server mastodon.social

In 5 years of trying to use a on audioboom.com I don’t believe it’s ever protected us against anything, just flooded me with error reports from bad browser extensions and caused a lot of busywork trying to getting third parties to support nonces, avoid eval() etc. Am I just doing it wrong?

#contentsecuritypolicy

Last updated 2 years ago

Lukas Oldenburg · @lukasoldenburg
44 followers · 20 posts · Server mastodontech.de

New client migrated from GA, but apparently with the wrong agency, even though they brand themselves with Adobe know-how: All requests go to 2o7 .net lol - and the blocks them, so it might not matter...

#adobeanalytics #contentsecuritypolicy #epicfail

Last updated 2 years ago

marie destandau - ototoï · @ototoi
56 followers · 23 posts · Server piaille.fr

Using a hash to allow inline scripts in a bryanbraun.com/2021/08/10/allo - very useful if you have inline scripts in a react app, since 'unsafe-inline' is... well, unsafe! and 'nonce' works only when the page is rendered server-side

#contentsecuritypolicy

Last updated 2 years ago

Sumomi · @sumomi
326 followers · 1315 posts · Server social.tchncs.de

Any recommendations regarding and setting up its to work smoothly with multiple domains?

Tried to do it manually but failed misserably trying to prevent using 'unsafe-inline'.

#contentsecuritypolicy #wordpress

Last updated 2 years ago

Sumomi · @sumomi
326 followers · 1315 posts · Server social.tchncs.de

:blobcatdizzy: & me won't be friends today. 😭

#wordpress #contentsecuritypolicy

Last updated 2 years ago

wuergler · @wuerglerit
4 followers · 71 posts · Server social.tchncs.de

2/2 Also in der .css-Datei eine Klasse angeben wie: .mytablestyle { width: 100%; } oder für td .mytdclass { width: 40%; } usw. für weitere td. Und dann nur im HTML table class="mytablestyle" oder td class="sometdclass". Meines Wissens braucht es im HTML td die class= nur einmal, um die gleiche Spalte in allen Zeilen (tr) gleich breit zu haben. Für die meisten wohl klar, oder? Jemand bessere Lösungen?

#csp #css #contentsecuritypolicy

Last updated 2 years ago

wuergler · @wuerglerit
4 followers · 71 posts · Server social.tchncs.de

1/2 Von wegen unschönen Tabellen, die wir ja sparsam verwenden (zu mir selber) ... Inline bei style-src: Inline CSS Styles gehen bei Content-Security-Policy, insbesondere style-src self natürlich nicht. Die Lösung ist klar: Styles sowieso nicht inline. Gehören in die CSS-Datei. Aber gerade bei Tabellen möchte man mit colspan und col die Spaltenbreite (td) mit einem Prozentwert angeben. Oder die Tabelle 100 % width oder so.

#contentsecuritypolicy #csp #css

Last updated 2 years ago

Simone Silvestroni · @m2m
373 followers · 1806 posts · Server indieweb.social

New post: how I implemented a content security policy on a static website built with , hosted on and loaded with several external embeds.

Full code available, including example with Bandcamp embeds and webmentions.

minutestomidnight.co.uk/blog/c

#contentsecuritypolicy #netlify #jekyll

Last updated 3 years ago

ITSEC News · @itsecbot
687 followers · 32461 posts · Server schleuss.online

Google Chrome Browser Bug Exposes Billions of Users to Data Theft - The vulnerability allows attackers to bypass Content Security Policy (CSP) protections and steal d... threatpost.com/google-chrome-b -2020-6519

#csp #google #chrome #bypass #chromium #datatheft #websecurity #cve #vulnerabilities #securityvulnerability #contentsecuritypolicy

Last updated 4 years ago

erAck · @erAck
218 followers · 5335 posts · Server social.tchncs.de

@sheogorath

Nice write-up!

The Firefox Laboratory extension to generate CSP header content while browsing a site is very helpful:
addons.mozilla.org/firefox/add

Another resource I also found useful is cheatsheetseries.owasp.org/che

#http #contentsecuritypolicy #csp

Last updated 5 years ago

ITSEC News · @itsecbot
687 followers · 32461 posts · Server schleuss.online
dispatch · @dispatch
472 followers · 2723 posts · Server ioc.exchange