Collaborate Disseminate
Ever since CSP 3 introduced strict-dynamic, Google has recommended its usage. Indeed, the idea of maintaining one “root” script, which in turn loads all other necessary scripts, sets up event handlers, etc. instead of maintai… Continue reading Does it pose a problem to use ‘strict-dynamic’ with a hash and not a nonce?
If I’m using subresource integrity on a web page and a script that I import then itself imports a further script, will the CSP ‘require-sri-for’ also include those subsequent, nested, imported scripts?
For example, if a .js file is pulled… Continue reading If a site includes the header ‘HTTP Content-Security-Policy require-sri-for’ then does this include all nested scripts?
This excellent SSO answer recommends to use certificate rules on Windows’ executables, as explained here by Microsoft. The latter says that the “location” of this setting is:
Computer Configuration\Windows Settings\Securi… Continue reading Where can I configure certificate rules on Windows 10?
Here is an example of the CSP of accounts.google.com:
content-security-policy: script-src ‘nonce-DanEwkxkS1rktq35Z1hVcg’ ‘unsafe-inline’ ‘unsafe-eval’;object-src ‘none’;base-uri ‘self’;report-uri /cspreport
CoinHive is a service that was created in September 2017. It allows users to mine Monero cryptocurrency using JavaScript. CoinHive has remarkably changed the income models of content developers over the course of its 18 month-long adventure. However, d… Continue reading The End of CoinHive and the Rise of Cryptojacking
Assume we have a webpage with sensitive data. The page uses a marketing partner advertisingpartner.com which collects data via third-party cookies in a foreign iframe. We have applied a relatively strict CSP:
connect-src ‘… Continue reading Content Security Policy: postMessage into foreign iframe
For example I am having an iframe with src https://iframe1.com which is listed in my content security policy. If the whitelisted iframe calls some iframe from another source like https://iframe2.com, will the content security… Continue reading How to whitelist an iframe and script of some other source embeded/ called by an iframe that is whitelisted in the CSP?
I recently discovered that its possible to run javascript from an <a> tag like this
<a href=”javascript:alert(‘test’)”>
and this gets run on the current page when clicked. It also seems to run in the context of … Continue reading Does CSP block javascript in <a href> tags?
Following this question, is there a way to prevent this code from redirecting users to domains not whitelisted?
const form = document.getElementsByTagName(‘form’)[0];
form.addEventListener(‘submit’, stealCredentials);
func… Continue reading Prevent javascript cross-origin redirect by window.location.href
We are developing a kind of social platform. It starts as a closed beta for a limited number of users, but the goal is to reach millions of subscriptions.
We are currently limited on resources, both infrastructure and e.g. D… Continue reading Can I trust public code versioning platforms when building a social platform?