Wie baue ich eine Content Security Policy (CSP) die nicht die ganze Webseite kaputt macht? :D
#ContentSecurityPolicy #CSP #ITSicherheit #Webseiten #Website #Followerpower
#contentsecuritypolicy #csp #itsicherheit #webseiten #website #followerpower
At least adding a "sandbox" #ContentSecurityPolicy shouldn't cause any additional issues (though I can't vouch for whether it'll break anything in this particular case).
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
#contentsecuritypolicy #pleroma
Today I learned about Google's CSP evaluator.
Feed it a Content Security Policy or a link to a website where it can infer one, and it will evaluate it.
Looking into the current state-of-the-art for #NodeJS security and I'm kind of baffled by how primitive it is compared to browsers.
* No #TrustedTypes.
* No `SafeHtml`.
* No #ContentSecurityPolicy.
* No permission abstractions.
* Not even a way to ban `eval()`.
Best thing I've found is `--frozen-intrinsics`, which is interesting, and I don't think there's a browser equivalent. You still have to freeze `globalThis` though to get much value out of it.
https://nodejs.org/en/docs/guides/security/#monkey-patching-cwe-349
There are also some interesting security policies, which look like they have a lot of potential. However they're all experimental right now and seem focused on code integrity.
https://nodejs.org/api/permissions.html
This this really the state-of-the-art for #Node security right now? Am I missing something?
#nodejs #trustedtypes #contentsecuritypolicy #node
Content Security Policy is a framework of modern-ish browsers used to give applications an extra layer of security! In this week's blog, we introduce the concept of Content Security Policy and teach some of the technical aspects!
https://www.jumpingrivers.com/blog/content-security-policy-shiny-posit-connect/
#Security #RStats #r #ContentSecurity #csp #ContentSecurityPolicy #community #blog #Shiny
#security #rstats #r #ContentSecurity #csp #contentsecuritypolicy #community #blog #shiny
Argh, just spent far too long debugging my CSP settings to figure out why my scripts don't run.
Answer: Browsers really dislike unpadded base64 in the script-src 'sha...'
directive and silently reject it, but Digest::SHA generates base64 without padding. (Sure, it's documented ... if you know what you're looking for.)
Solution: Add padding manually.
use Digest::SHA qw(sha256_base64);
my $script_hash = sha256_base64($script_code);
$script_hash .= '=' x (-length($script_hash) % 4); # padding!
#csp #contentsecuritypolicy #base64 #perl
In 5 years of trying to use a #ContentSecurityPolicy on audioboom.com I don’t believe it’s ever protected us against anything, just flooded me with error reports from bad browser extensions and caused a lot of busywork trying to get thirdparty packages to support nonces, avoid eval() etc. Am I just doing it wrong?
In 5 years of trying to use a #ContentSecurityPolicy on audioboom.com I don’t believe it’s ever protected us against anything, just flooded me with error reports from bad browser extensions and caused a lot of busywork trying to getting third parties to support nonces, avoid eval() etc. Am I just doing it wrong?
New #AdobeAnalytics client migrated from GA, but apparently with the wrong agency, even though they brand themselves with Adobe know-how: All requests go to 2o7 .net lol - and the #ContentSecurityPolicy blocks them, so it might not matter... #epicFail
#adobeanalytics #contentsecuritypolicy #epicfail
Using a hash to allow inline scripts in a #ContentSecurityPolicy https://www.bryanbraun.com/2021/08/10/allowing-inline-scripts-in-your-content-security-policy-using-a-hash/ - very useful if you have inline scripts in a react app, since 'unsafe-inline' is... well, unsafe! and 'nonce' works only when the page is rendered server-side
Any recommendations regarding #Wordpress and setting up its #ContentSecurityPolicy to work smoothly with multiple domains?
Tried to do it manually but failed misserably trying to prevent using 'unsafe-inline'.
#contentsecuritypolicy #wordpress
:blobcatdizzy: #ContentSecurityPolicy #Wordpress & me won't be friends today. 😭
#wordpress #contentsecuritypolicy
2/2 Also in der .css-Datei eine Klasse angeben wie: .mytablestyle { width: 100%; } oder für td .mytdclass { width: 40%; } usw. für weitere td. Und dann nur im HTML table class="mytablestyle" oder td class="sometdclass". Meines Wissens braucht es im HTML td die class= nur einmal, um die gleiche Spalte in allen Zeilen (tr) gleich breit zu haben. Für die meisten wohl klar, oder? Jemand bessere Lösungen?
#contentsecuritypolicy #css #csp
#csp #css #contentsecuritypolicy
1/2 Von wegen unschönen Tabellen, die wir ja sparsam verwenden (zu mir selber) ... Inline #CSS bei #CSP style-src: Inline CSS Styles gehen bei Content-Security-Policy, insbesondere style-src self natürlich nicht. Die Lösung ist klar: Styles sowieso nicht inline. Gehören in die CSS-Datei. Aber gerade bei Tabellen möchte man mit colspan und col die Spaltenbreite (td) mit einem Prozentwert angeben. Oder die Tabelle 100 % width oder so.
#contentsecuritypolicy
#contentsecuritypolicy #csp #css
New post: how I implemented a content security policy on a static website built with #Jekyll, hosted on #Netlify and loaded with several external embeds.
Full code available, including example with Bandcamp embeds and webmentions.
https://minutestomidnight.co.uk/blog/content-security-policy/
#contentsecuritypolicy #netlify #jekyll
Google Chrome Browser Bug Exposes Billions of Users to Data Theft - The vulnerability allows attackers to bypass Content Security Policy (CSP) protections and steal d... https://threatpost.com/google-chrome-bug-data-theft/158217/ #contentsecuritypolicy #securityvulnerability #vulnerabilities #cve-2020-6519 #websecurity #datatheft #chromium #bypass #chrome #google #csp
#csp #google #chrome #bypass #chromium #datatheft #websecurity #cve #vulnerabilities #securityvulnerability #contentsecuritypolicy
Nice write-up!
The Firefox Laboratory extension to generate CSP header content while browsing a site is very helpful:
https://addons.mozilla.org/firefox/addon/laboratory-by-mozilla/
Another resource I also found useful is https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
#http #contentsecuritypolicy #csp
Crafty Web Skimming Domain Spoofs “https” - Earlier today, KrebsOnSecurity alerted the 10th largest food distributor in the United States that o... more: https://krebsonsecurity.com/2020/03/crafty-web-skimming-domain-spoofs-https/ #grandwesternsteaks.com #contentsecuritypolicy #subresourceintegrity #alittlesunshine #cheneybros.inc. #thecomingstorm #denissinegubko #jeromesegura #malwarebytes #webfraud2.0 #privacy.com #ryanbarnett #publicwww #akamai #.ps
#akamai #publicwww #ryanbarnett #privacy #webfraud2 #malwarebytes #jeromesegura #denissinegubko #thecomingstorm #cheneybros #alittlesunshine #subresourceintegrity #contentsecuritypolicy #grandwesternsteaks
Crafty Web Skimming Domain Spoofs “https” https://krebsonsecurity.com/2020/03/crafty-web-skimming-domain-spoofs-https/ #grandwesternsteaks.com #contentsecuritypolicy #SubresourceIntegrity #ALittleSunshine #CheneyBros.Inc. #TheComingStorm #DenisSinegubko #JeromeSegura #Malwarebytes #WebFraud2.0 #privacy.com #RyanBarnett #publicwww #Akamai #.ps
#grandwesternsteaks #contentsecuritypolicy #SubresourceIntegrity #ALittleSunshine #CheneyBros #TheComingStorm #DenisSinegubko #JeromeSegura #malwarebytes #WebFraud2 #privacy #RyanBarnett #publicwww #akamai
RT @lbrunet_com@twitter.com
Retrouvez-moi pour une plongée dans les CSP https://www.youtube.com/watch?v=UMZKf9KG3B0 🤟
#breizhcamp #ContentSecurityPolicy #CSP
🐦🔗: https://twitter.com/lbrunet_com/status/1123837850540228609
#breizhcamp #contentsecuritypolicy #csp