CSP: Allow inline scripts while blocking javascript: in iframe src

We wan’t to prevent attacks comming in from src attribute "javascript:" but still allow lnline script tags.
Currently the only option is to add sha-hash’s but there are too many inline scripts to do this.
Unfortunately we can’t m… Continue reading CSP: Allow inline scripts while blocking javascript: in iframe src

Implications of SHA256 implementation producing false / unexpected hashes

I found that one of our programs uses an sha256 implementation, that produces different hashes for same inputs, compared to standard libraries (in this case compared to node:crypto and Web Crypto API.
The hashes are different for character… Continue reading Implications of SHA256 implementation producing false / unexpected hashes

CSP for Single Page App: Use client-side nonce for securing iframe content

Goal I’d like to tighten my Content Security Policy.
Situation
I have a single page react application (= All code and styles are bundled together into a bundle.js file). The file is simply placed on a file storage server (Concrete: S3 buck… Continue reading CSP for Single Page App: Use client-side nonce for securing iframe content