Collaborate Disseminate
Some websites use Content-Security-Policy nonces in order to include inline styling and script in their webpages.
Is the CSP nonce feature designed to be used for production use, or is it simply there as a stop-gap solution … Continue reading Are Content-Security-Policy nonces designed for production use, or as a stop-gap when implementing a CSP?
Following is a CSP policy, for example derived sample response headers.
The implementation below allows white-listed domains only in “script-src” directive but the ‘unsafe-inline’ and ‘unsafe-eval’ directives are also used next ‘self’.
W… Continue reading CSP – Unsafe-inline or unsafe-eval for specific domain is allowed or not
Let’s assume an attacker manages to inject this script in a login page:
const form = document.getElementsByTagName(‘form’)[0];
form.addEventListener(‘submit’, stealCredentials);
function stealCredentials() {
const logi… Continue reading Prevent javascript cross-origin write
I am trying to only allow ‘self’ and ‘https://cdn.jsdelivr.net’ by using:
“add_header Content-Security-Policy “default-src ‘self’; script-src ‘self’ https://cdn.jsdelivr.net”;
I encountered an issue where I am able to lo… Continue reading "Content-Security-Policy" HTTP Header with "default-src ‘self’; script-src ‘self’" not blocking downloading of non specify domain
This question already has an answer here:
How does testing on a Virtual Machine prevent the security tester from breaching the misuse act? [on hold]
1 answer
… Continue reading virtualisation security [duplicate]
I know about inotify but am concerned it would use too many resources.
Is there a better way to monitor a fairly static system (like a web host) for new and unexpected files being created?
Continue reading is there a low-overhead way to log every new file created on a Linux host?
I am reviewing the Content-Security-Policy headers set in one of our webservers and I see this is how it is set (where ‘example.com’ is our trusted website).
Content-Security-Policy: “default-src ‘self’; script-src ‘self… Continue reading Does allowing unsafe-inline script defeat the purpose of CSP?
I created a simple test web application to test the use of the content security policy header. I included a vulnerability in my test app, such that submitting a basic XSS payload with script tags would be reflected back in fu… Continue reading Content Security Policy Header not stopping attack
Content Security Policy (CSP) is an effective client-side security measure that is designed to prevent vulnerabilities such as Cross-Site Scripting (XSS) and Clickjacking. Following the regular discovery of bypass techniques, a group of researcher… Continue reading Negative Impact of Incorrect CSP Implementations
We are trying to find the best way to allow JavaScript in a web application while being safe against XSS.
Site admins have the privilege to insert JavaScript to control the site templates, and publish this to site users. Ho… Continue reading How to safely allow scripts but preventing XSS?