Collaborate Disseminate
While making a payment for a Google service, I noticed that clicking the Verify button (in the screenshot below) would not move to the next screen.
Curious, I opened up the developer console and noticed two calls to https://224.32.32.221/… Continue reading Why would Google Pay try to fetch data from an IP address over SSL? [closed]
I’m trying unsuccessfully to set a cookie in an iframe cross-domain. I’ve found elsewhere (https://stackoverflow.com/questions/2117248/setting-cookie-in-iframe-different-domain, https://stackoverflow.com/questions/4701922/how-does-facebook… Continue reading Set cookie inside iFrame domain not seen
I am currently working as system integrator for a banking company, that asked me to provide an authentication integration on a third party website on which the company would like to redirect users, but recognizing them as already authentic… Continue reading Cross-domain login authentication
Both Cross-Origin-Embedder-Policy and Content-Security-Policy seem to do pretty similar things: they restrict the document from loading certain types of subresources (e.g. cross-origin subresources). Why is COEP necessary when we already h… Continue reading What does COEP do that CSP doesn’t already do?
I am building a website with a separate Javascript frontend and a Django backend. My backend uses CSRF protection.
Now the problem is that the CSRF token is being set on the client side as a cookie on the backend’s domain, e.g. api.example… Continue reading How to access CSRF token in fronted when API is on different domain?
COOP: cross origin opener policy
COEP: Cross origin embedder policy
Most of the articles on the web, related to COOP / COEP, point to the fact that by enabling COOP / COEP , your web page can use the sharedArrayBuffer and some other precis… Continue reading COOP and COEP: Is there an advantage to enabling COOP / COEP if I don’t need to use the sharedArrayBuffer or other features?
We have a web service where GET is always safe and all unsafe POST requests use single-use CSRF tokens. We have some cases where cross-origin domain would need to pass us POST request with data that should be used with currently active use… Continue reading I have CSRF protection implemented server side, can I safely use `SameSite=None; Secure; HttpOnly`?
I have a website where I am blocking it from being loaded via iframe into other websites.
What I want is to keep this in place, but allow certain URLs from my website, to be iframed anywhere.
For example, allowing these to be iframed:
htt… Continue reading X-Permitted-Cross-Domain-Policies – allow certain URL patterns
In a browser I want to use SublteCrypto (https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto) to create a key pair and store it locally in the IndexedDB (https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API).
Storing th… Continue reading SubtleCrypto with non-extractable keys stored in IndexedDB – Cross Origin Usage
When using postMessage it’s important to define a targetOrigin to ensure we don’t leak data to other sites.
It’s equally important to check the origin when receiving a message to prevent other sites from triggering our scripts.
But, if we’… Continue reading Is it secure to use window.origin with postMessage?