Collaborate Disseminate
I have a web app that is built using Vite for the react front-end part and uses .net API backend. The backend also configures a static file service for the prebuild frontend files but otherwise implements the API that the front-end is heav… Continue reading Content security policy for script-src directive
Why does Firefox tell me
Content Security Policy: Couldn’t process unknown directive ‘require-sri-for’
when Mozilla’s documentation says they’ve implemented it?
The meta tag Firefox is complaining about:
<meta http-equiv=”Con… Continue reading Firefox warning: Content Security Policy: Couldn’t process unknown directive ‘require-sri-for’
Subresource integrity basically lets me know that a resource I’m about to download is valid, because the hash of its contents matches what I expect.
But this assumes that I’m already running on some trusted and verified code… Continue reading How does subresource integrity actually help?
I have been trying to move my site to hash-source CSP instead of host-source CSP to verify integrity of files distributed by a CDN.
I have a WebWorker running in the background, which imports a few scripts from a CDN via t… Continue reading WebWorker Hash-Source CSP importScripts
In my Content Security Policy I have included require-sri-for script. However, in the Chrome console I get a notice (not an error, just info):
The Content-Security-Policy directive ‘require-sri-for’ is implemented behind … Continue reading Why does Chrome tell me that the CSP ‘require-sri-for’ directive is implemented behind a flag which is currently disabled?
Can someone elaborate on the attacks alluded to in this paragraph from the W3C SubResource Integrity spec?
In order to mitigate an attacker’s ability to read data cross-origin by brute-forcing values via integrity checks, responses are… Continue reading What attacks are mitigated by requiring CORS for subresource integrity verification?