Collaborate Disseminate
Whenever the topic comes up, almost every source recommends to never store authentication tokens in a place where they can be accessed by client-side Javascript. The recommendation is almost always to store them in an http-only cookie to p… Continue reading Is storing authentication tokens in local storage with a strong CSP safe?
We wan’t to prevent attacks comming in from src attribute "javascript:" but still allow lnline script tags.
Currently the only option is to add sha-hash’s but there are too many inline scripts to do this.
Unfortunately we can’t m… Continue reading CSP: Allow inline scripts while blocking javascript: in iframe src
I am new to the concept of Content-Security-Policy (CSP) so please forgive my ignorance.
The site https://securityheaders.com parses headers and provides a score. For example unibet.com is awarded a favorable "A" grading while h… Continue reading Benefit of permissive Content-Security-Policy
Is it necessary to implement both Content-Security-Policy and X-Content-Type-Options for ensuring the security of a website?
I need to run the following inline script to inject some Thymeleaf model variables into a javascript file of mine.
<script th:inline="javascript">
/*<![CDATA[*/
var stripePublicKey = /*[[${stripePublicKey}]]*/ … Continue reading unsafe-hashes an alternatives
What are the risks to allow a "blob:" directive to the script-src CSP? Is it safe?
I have a list of allowed domains defined in script-src, but nonetheless I got an error specifying the violation of the CSP directive when trying t… Continue reading CSP script-scr blob
I found that one of our programs uses an sha256 implementation, that produces different hashes for same inputs, compared to standard libraries (in this case compared to node:crypto and Web Crypto API.
The hashes are different for character… Continue reading Implications of SHA256 implementation producing false / unexpected hashes
I’m currently experiencing an issue where base64 encoded fonts are being blocked by CSP on my website (note that I replaced the base64 with abcdefg in this example:
Refused to load the font ‘data:font/woff2;base64,abcdefg///abcdefg’ becaus… Continue reading Is it safe to use font-src with data: in a Content Security Policy?
Goal I’d like to tighten my Content Security Policy.
Situation
I have a single page react application (= All code and styles are bundled together into a bundle.js file). The file is simply placed on a file storage server (Concrete: S3 buck… Continue reading CSP for Single Page App: Use client-side nonce for securing iframe content
We host a small (.Net) website for our customers; it’s designed to be embedded within both our own hosted pages, and potentially within the customers own web applications (both internal and external). By far the most common way of doing th… Continue reading CSP and X-Frame options for site that is designed to be embedded