If I’m using HSTS, can I skip the scheme from my CSP directives?

For various reasons, I need to shrink my CSP header a bit without degrading its effectiveness. I’m able to save some bytes by wildcarding some subdomains, but I’m also tempted to strip out all instances of https://.
Example:
connect-src ‘s… Continue reading If I’m using HSTS, can I skip the scheme from my CSP directives?

Is the HTTPS lock sign displayed if reasources are loaded from insecure sites?

We all know that if you visit a secure site which uses https, all modern browsers will show a padlock sign if it has a CA certified certificate. My questions are:

Suppose there is an image loaded in the page from an insecure site (for exa… Continue reading Is the HTTPS lock sign displayed if reasources are loaded from insecure sites?

Browser Watch: Google Chrome to Block HTTP Downloads

Starting mid-2020, you won’t be able to download certain files on Chrome — here’s why Time after time, we’ve witnessed browser giants making security-related decisions that have a significant impact…
The post Browser Watch: G… Continue reading Browser Watch: Google Chrome to Block HTTP Downloads

Can an img with src=http be intercepted to insert onerror attribute to execute JS?

If a webpage contains <img src=”http://example.com” />, can a MITM attack intercept the http trafffic and return something like a” onerror=”alert(1), so that it turns the img into <img src=”a” onerror=”alert(1)” /&gt… Continue reading Can an img with src=http be intercepted to insert onerror attribute to execute JS?

How do I let users point to their own images, yet avoid Mixed Content warnings?

I allow users of my webapp to provide a URL for their own images. They can also provide CSS which may contain URLs to images.

If these URLs are HTTP then the browser does not show the padlock in the URL bar.

What is the best practice for… Continue reading How do I let users point to their own images, yet avoid Mixed Content warnings?

Should I be concerned about Wayback Machine trying to load scripts from unauthenticated sources?

I regularly use Wayback Machine to help find archived versions of webpages that have been taken down or are other otherwise unavailable.

While using the site, I noticed a peculiar warning in Google Chrome’s address bar.

F… Continue reading Should I be concerned about Wayback Machine trying to load scripts from unauthenticated sources?