content security policy – WindowsTechs.com

Is it Safe to Update Content Security Policy to Allow Blob URLs for iframes?

Posted on October 22, 2024 by Hiba Al Dalaty

I am currently implementing a feature that allows users to upload documents (mainly pdfs) and view them in the browser without storing them on a server. The application generates a blob URL from the uploaded document, which is then passed … Continue reading Is it Safe to Update Content Security Policy to Allow Blob URLs for iframes?→

Is it Safe to Update Content Security Policy to Allow Blob URLs for iframes?

Posted on October 22, 2024 by Hiba Al Dalaty

CSP Violation repot has a [blockedURL] that is in the [originalPolicy]

Posted on September 20, 2024 by Notts90

I keep getting Content Security Policy reports saying that https://googleads.g.doubleclick.net:443/pagead/viewthroughconversion/[redacted]/?random=… has been blocked by the img-src [effectiveDirective], even though in the same report it … Continue reading CSP Violation repot has a [blockedURL] that is in the [originalPolicy]→

CSP, inline SVG, and XML attributes

Posted on September 17, 2024 by janeden

I recently added some inline SVG images to my website, and the browsers complained about the style attributes within the SVG code not being covered by my strict CSP (style-src: self). Instead of adding unsafe-inline to the CSP or moving al… Continue reading CSP, inline SVG, and XML attributes→

What is "vacceedpasian.com"? [closed]

Posted on September 5, 2024 by Timothy Johns

Last month, I noticed a bunch of CSP enforcement block actions against https://vacceedpasian.com/conversion.js, and I’m curious if anyone knows what this is.
We have implemented Content Security Policy intended to prevent arbitrary, uknown… Continue reading What is "vacceedpasian.com"? [closed]→

Basic monitoring of web applications (http headers, HSTS)

Posted on August 19, 2024 by Andreas F

I would like to set up som basic monitoring of outgoing traffic for a number of web applications and api´s running in AWS. E.g.

Ensure specific http headers are in place (Content-Security-Policy and Strict-Transport-Security must be pres… Continue reading Basic monitoring of web applications (http headers, HSTS)→

Real life example of CSP containing report-uri and report-to

Posted on August 5, 2024 by Andrew Andrew

I need to setup CSP header containing report-uri and report-to simultaneously because many site clients using old Firefox and Chrome versions. How to setup both of these attributes in CSP?
UPD. Also i noticed that report-to requires CORS s… Continue reading Real life example of CSP containing report-uri and report-to→

Can URL maskers bypass browser XSS blockers?

Posted on August 3, 2024 by security_paranoid

I know that basically every modern browser version has a cross-site-scripting blocker for XSSed URLs, as in the type of filter that actually stops a user from visiting the URL, warning them of the malice it might inflict.
But let’s say tha… Continue reading Can URL maskers bypass browser XSS blockers?→

If I’m using HSTS, can I skip the scheme from my CSP directives?

Posted on June 17, 2024 by Tom Wright

For various reasons, I need to shrink my CSP header a bit without degrading its effectiveness. I’m able to save some bytes by wildcarding some subdomains, but I’m also tempted to strip out all instances of https://.
Example:
connect-src ‘s… Continue reading If I’m using HSTS, can I skip the scheme from my CSP directives?→

Does the connect-src directive block the ability to make a request, or it blocks access to the response?

Posted on May 6, 2024 by Nikita Khodakovsky

Does the connect-src directive block the ability to make a request, or it blocks access to the response?

Continue reading Does the connect-src directive block the ability to make a request, or it blocks access to the response?→