Collaborate Disseminate
Just want to settle a debate I’m having with someone.
Suppose there is no SOP. Via an XSS exploit, code can run on website A.com and submit an XHR request to B.com. Suppose B.com stores an auth token in an HTML page (maybe to interface wit… Continue reading Does SOP prevent a class of CSRF attacks?
If my Content-Security-Policy is set to the following:
Content-Security-Policy: frame-ancestors ‘self’
Does it also imply:
Content-Security-Policy: default-src ‘self’
Or is it a lot safer to put both rules?
Content-Security-Policy: defau… Continue reading Is the "same-origin" implied when using "frame-ancestor" in the CSP header?
Goal
Authenticate the Client via HTTP Request.
Authenticate the Client’s WebSocket connection.
Prevent exploitation of WebSocket connection(when a XSS Vulnerability is present on website).
How I’m doing this
Step 1 Client visits the webs… Continue reading Securing a Websocket Connection in case of XSS Vulnerability
I have read Incrementally Better Cookies, a couple of web.dev articles and tried to google for "same-origin cookies" but could not find anything so I wonder if this is being worked on.
SameSite=Strict & Lax are a very good pr… Continue reading Would "same-origin cookies" make sense?
Take an example of google maps. google maps provides a javascript client SDK, which means any web app running javascript can access the google maps sdk. You need to use an API_KEY so that google can rate limit your requests, and apply some… Continue reading How do applications which are integrated using a javascript client side sdk, secure their data or disallow spam?
Since application is not responding with allow credentials header, an attacker can’t craft cross domain request with cookies, but I was wondering if allow origin * alone (Without credentials being true) can be exploited?
I know allow origi… Continue reading Is there an issue if application responds with access control allow origin * but there is no allow credentials header?
I’m testing this application which is properly validating origin header on the sever side. However, if I add any domain and the expect domain as port, application still consider this valid.
Origin: https://random-domain.com:expected-domain… Continue reading Can the Origin header have alphabetical port or parameters in a real-life scenario?
I’ve always read: Put validations in the backend. Frontend validations are for UX, not security. This is because bad actors can trick frontend validation. But I’m having a hard time wrapping my head around how a bad actor could trick it.
I… Continue reading How do hackers trick frontend validation?
I know there are lots of posts on the same origin policy, but I specifically want to understand why it can’t be done in this simpler way.
If evil.com makes sends a request to bank.com, browsers will not add cookies (so unauthenticated). No… Continue reading A potentially simpler same origin policy?
On a W3Schools page, I found that HTTP requests work like this:
A client (a browser) sends an HTTP request to the web
A web server receives the request, and runs an application to process it
The server returns an HTTP response (output) to… Continue reading Why doesn’t a simple HTTP request to display a remote web page violate the same-origin policy?