Collaborate Disseminate
If my Content-Security-Policy is set to the following:
Content-Security-Policy: frame-ancestors ‘self’
Does it also imply:
Content-Security-Policy: default-src ‘self’
Or is it a lot safer to put both rules?
Content-Security-Policy: defau… Continue reading Is the "same-origin" implied when using "frame-ancestor" in the CSP header?
Goal
Authenticate the Client via HTTP Request.
Authenticate the Client’s WebSocket connection.
Prevent exploitation of WebSocket connection(when a XSS Vulnerability is present on website).
How I’m doing this
Step 1 Client visits the webs… Continue reading Securing a Websocket Connection in case of XSS Vulnerability
I have read Incrementally Better Cookies, a couple of web.dev articles and tried to google for "same-origin cookies" but could not find anything so I wonder if this is being worked on.
SameSite=Strict & Lax are a very good pr… Continue reading Would "same-origin cookies" make sense?
Take an example of google maps. google maps provides a javascript client SDK, which means any web app running javascript can access the google maps sdk. You need to use an API_KEY so that google can rate limit your requests, and apply some… Continue reading How do applications which are integrated using a javascript client side sdk, secure their data or disallow spam?
Since application is not responding with allow credentials header, an attacker can’t craft cross domain request with cookies, but I was wondering if allow origin * alone (Without credentials being true) can be exploited?
I know allow origi… Continue reading Is there an issue if application responds with access control allow origin * but there is no allow credentials header?
I’m testing this application which is properly validating origin header on the sever side. However, if I add any domain and the expect domain as port, application still consider this valid.
Origin: https://random-domain.com:expected-domain… Continue reading Can the Origin header have alphabetical port or parameters in a real-life scenario?
I’ve always read: Put validations in the backend. Frontend validations are for UX, not security. This is because bad actors can trick frontend validation. But I’m having a hard time wrapping my head around how a bad actor could trick it.
I… Continue reading How do hackers trick frontend validation?
I know there are lots of posts on the same origin policy, but I specifically want to understand why it can’t be done in this simpler way.
If evil.com makes sends a request to bank.com, browsers will not add cookies (so unauthenticated). No… Continue reading A potentially simpler same origin policy?
On a W3Schools page, I found that HTTP requests work like this:
A client (a browser) sends an HTTP request to the web
A web server receives the request, and runs an application to process it
The server returns an HTTP response (output) to… Continue reading Why doesn’t a simple HTTP request to display a remote web page violate the same-origin policy?
Here (https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy) it is mentioned
The port number is checked separately by the browser. Any call to document.domain, including document.domain = document.domain, causes the por… Continue reading What is meaning of setting port number to NULL in document.domain call?