content security policy – Page 17

Prevent iframe from inheriting CSP headers

Posted on November 5, 2018 by alxers

I have an angular 6 application where Content Security Policy headers are applied via a meta tag.

On one of the pages there is an iframe for which those headers should not be applied.

For some reason parent CSP headers are … Continue reading Prevent iframe from inheriting CSP headers→

What are the dangers of "style-src: ‘unsafe-inline’"? [duplicate]

Posted on October 18, 2018 by Anders

This question already has an answer here:

Style attribute XSS without quotes

1 answer

This is a common sight in content s… Continue reading What are the dangers of "style-src: ‘unsafe-inline’"? [duplicate]→

Payment skimmers sneaking on to websites via third party code

Posted on October 12, 2018 by John E Dunn

Whatever Magecart is, it’s been blamed for several high-profile payment card breaches this summer. Continue reading Payment skimmers sneaking on to websites via third party code→

CSP to report HTTP resources?

Posted on September 14, 2018 by user802599

I would like to start introducing a CSP on a site. I would like to start by adding a report only CSP and only reporting on mixed content, for example when an images is loading from HTTP instead of HTTPS.

I have tired the three following:… Continue reading CSP to report HTTP resources?→

How do I control multiply-nested embedding of my iframe?

Posted on September 6, 2018 by Joshua Fox

Domain example1.com embeds my iframe.

Domain example2.com embeds an iframe served from example1.com.

I would set X-Frame-Options: ALLOW FROM *.example1.com as well as Content-Security-Policy with frame-ancestors.

But the… Continue reading How do I control multiply-nested embedding of my iframe?→

What’s the alternative of content security policy (CSP) header in Internet Explorer IE?

Posted on August 13, 2018 by Abhishek Sharma M

As mentioned in the Content Security Policy documentation & from the “supported browsers” page on the CSP site, CSP is not supported in Internet Explorer.

So, if we want to support CSP in our application with all the sup… Continue reading What’s the alternative of content security policy (CSP) header in Internet Explorer IE?→

What attacks does Content Security Policy base-uri protect against?

Posted on August 1, 2018 by jtpereyda

I have read up on base-uri and the HTML base tag, but what exactly is the base-uri CSP is meant to protect against?

Continue reading What attacks does Content Security Policy base-uri protect against?→

Is allowing blob: in Content-Security-Policy a risk?

Posted on July 25, 2018 by cis

Recently, I’ve set Content-Security-Policy headers for my web application. I’ve tried to be as strict as possible. What strikes me most is the fact that I had to allow blob: for connect-src and img-src due to a third-party component. (Both… Continue reading Is allowing blob: in Content-Security-Policy a risk?→

Best way to encrypt user data stored in xml?

Posted on July 13, 2018 by KayJay

First of all I am not very familiar with the world of encryption so please be nice.

I have got a data that should store in an xml using NetDataContractSerializer. This xml file gets the size of from 5MB to 10MB. So I am zi… Continue reading Best way to encrypt user data stored in xml?→

Newsmaker Interview: Scott Helme on Securing the Web

Posted on July 11, 2018 by Tara Seals

Scott Helme, the well-known security researcher, international speaker and the founder of the securityheaders.com and report-uri.com free tools for web security, has devoted himself to improving the security environment of the internet for the past dec… Continue reading Newsmaker Interview: Scott Helme on Securing the Web→