13 Matching Annotations
  1. May 2020
    1. However, it's possible to enforce both a whitelist and nonces with 'strict-dynamic' by setting two policies:
    1. sadness.js will not load, however, as document.write() produces script elements which are "parser-inserted".
  2. developer.chrome.com developer.chrome.com
    1. If a user clicks on that button, the onclick script will not execute. This is because the script did not immediately execute and code not interpreted until the click event occurs is not considered part of the content script, so the CSP of the page (not of the extension) restricts its behavior. And since that CSP does not specify unsafe-inline, the inline event handler is blocked.
  3. Apr 2020
  4. Nov 2019
    1. Why can't I keep using script whitelists in CSP? The traditional approach of whitelisting domains from which scripts can be loaded is based on the assumption that all responses coming from a trusted domain are safe, and can be executed as scripts. However, this assumption does not hold for modern applications; some common, benign patterns such exposing JSONP interfaces and hosting copies of the AngularJS library allow attackers to escape the confines of CSP.
    1. However, a broader problem is that your script-src whitelist includes domains that host Javascript which can be used by an attacker who finds a markup injection bug in your application to bypass your CSP. For example, https://cdnjs.cloudflare.com hosts Angular (https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.7.2/angular.min.js) which can be used by an attacker to convert an HTML injection into arbitrary script execution (here is a paper about this).
  5. Sep 2019
  6. Feb 2016
    1. In Firefox, one can disable Content Security Policy by changing security.csp.enable to false in about:config

      Websites using Content Security Policy can be annoted with hypothes.is in Firefox by switching (in about:config ) security.csp.enable to false