Collaborate Disseminate
This question is specific to Clickjacking attacks and Content Security Policy.
When the server sends a static resource, such as .gif, .woff, .js file, which is not an .html, what is the security vulnerability in not using CSP or not specif… Continue reading What is the attack vector in allowing to frame non-HTML content?
I am trying to implement a CSP policy for our Angular 18 application based on Angular’s CSP recommendation and I have found that their recommendation does not make sense to me.
Specifically their use of a nonce in their script policy
scrip… Continue reading Angular’s recommended CSP doesn’t make sense to me
Before I start, I have found a few related references to this question, but they are not answered previously or are about a slightly different scenario to mine.
I have the following need. I need a way to let users write Javascript code, wh… Continue reading How to securely load user genereated Javascript code from IFrame into my website?
I host two public sites with WordPress, using different themes (but official ones, named "twenty-something") on an Apache server (Debian Bookworm), and I’m updating my CSP.
If I enable sandbox, I get a bunch of (silently) failed … Continue reading CSP: no sandbox, or sandbox with Access-Control-Allow-Origin: "null"?
I am currently implementing a feature that allows users to upload documents (mainly pdfs) and view them in the browser without storing them on a server. The application generates a blob URL from the uploaded document, which is then passed … Continue reading Is it Safe to Update Content Security Policy to Allow Blob URLs for iframes?
I am currently implementing a feature that allows users to upload documents (mainly pdfs) and view them in the browser without storing them on a server. The application generates a blob URL from the uploaded document, which is then passed … Continue reading Is it Safe to Update Content Security Policy to Allow Blob URLs for iframes?
I keep getting Content Security Policy reports saying that https://googleads.g.doubleclick.net:443/pagead/viewthroughconversion/[redacted]/?random=… has been blocked by the img-src [effectiveDirective], even though in the same report it … Continue reading CSP Violation repot has a [blockedURL] that is in the [originalPolicy]
I recently added some inline SVG images to my website, and the browsers complained about the style attributes within the SVG code not being covered by my strict CSP (style-src: self). Instead of adding unsafe-inline to the CSP or moving al… Continue reading CSP, inline SVG, and XML attributes
Last month, I noticed a bunch of CSP enforcement block actions against https://vacceedpasian.com/conversion.js, and I’m curious if anyone knows what this is.
We have implemented Content Security Policy intended to prevent arbitrary, uknown… Continue reading What is "vacceedpasian.com"? [closed]
I would like to set up som basic monitoring of outgoing traffic for a number of web applications and api´s running in AWS. E.g.
Ensure specific http headers are in place (Content-Security-Policy and Strict-Transport-Security must be pres… Continue reading Basic monitoring of web applications (http headers, HSTS)