Collaborate Disseminate
Let’s say you serve a website with the header Cross-Origin-Opener-Policy: same-origin. This is a new header that, if I understood it correctly, completely separates a browsing tab/origin to prevent against such low-level attacks like CPU-m… Continue reading Why does Cross-Origin-Opener-Policy prevent opening links to the same-origin/domain when target="_blank" is used?
I noticed www.citi.com website embeds some content from these three sites listed below that are masked by "Domains By proxy LLC" service as per domain lookup (https://www.godaddy.com/whois/results.aspx?domain=a79ab95c1589a13f8a4c… Continue reading Info on domains behind (Domains By Proxy LLC)
While making a payment for a Google service, I noticed that clicking the Verify button (in the screenshot below) would not move to the next screen.
Curious, I opened up the developer console and noticed two calls to https://224.32.32.221/… Continue reading Why would Google Pay try to fetch data from an IP address over SSL? [closed]
I’m trying unsuccessfully to set a cookie in an iframe cross-domain. I’ve found elsewhere (https://stackoverflow.com/questions/2117248/setting-cookie-in-iframe-different-domain, https://stackoverflow.com/questions/4701922/how-does-facebook… Continue reading Set cookie inside iFrame domain not seen
I am currently working as system integrator for a banking company, that asked me to provide an authentication integration on a third party website on which the company would like to redirect users, but recognizing them as already authentic… Continue reading Cross-domain login authentication
Both Cross-Origin-Embedder-Policy and Content-Security-Policy seem to do pretty similar things: they restrict the document from loading certain types of subresources (e.g. cross-origin subresources). Why is COEP necessary when we already h… Continue reading What does COEP do that CSP doesn’t already do?
I am building a website with a separate Javascript frontend and a Django backend. My backend uses CSRF protection.
Now the problem is that the CSRF token is being set on the client side as a cookie on the backend’s domain, e.g. api.example… Continue reading How to access CSRF token in fronted when API is on different domain?
COOP: cross origin opener policy
COEP: Cross origin embedder policy
Most of the articles on the web, related to COOP / COEP, point to the fact that by enabling COOP / COEP , your web page can use the sharedArrayBuffer and some other precis… Continue reading COOP and COEP: Is there an advantage to enabling COOP / COEP if I don’t need to use the sharedArrayBuffer or other features?
We have a web service where GET is always safe and all unsafe POST requests use single-use CSRF tokens. We have some cases where cross-origin domain would need to pass us POST request with data that should be used with currently active use… Continue reading I have CSRF protection implemented server side, can I safely use `SameSite=None; Secure; HttpOnly`?
I have a website where I am blocking it from being loaded via iframe into other websites.
What I want is to keep this in place, but allow certain URLs from my website, to be iframed anywhere.
For example, allowing these to be iframed:
htt… Continue reading X-Permitted-Cross-Domain-Policies – allow certain URL patterns