- Dec 2023
-
developers.google.com developers.google.com
-
Warning: Do not accept plain user IDs, such as those you can get with the GoogleUser.getId() method, on your backend server. A modified client application can send arbitrary user IDs to your server to impersonate users, so you must instead use verifiable ID tokens to securely get the user IDs of signed-in users on the server side.
-
- Sep 2023
- Aug 2023
-
kit.svelte.dev kit.svelte.dev
-
```js // CSP svelte.config.js
/* @type {import('@sveltejs/kit').Config} / const config = { kit: { csp: { directives: { 'script-src': ['self'] }, reportOnly: { 'script-src': ['self'] } } } };
export default config; ```
-
-
developer.mozilla.org developer.mozilla.org
-
www.w3.org www.w3.org
- May 2023
-
Tags
- http:header=strict-transport-security
- wikipedia:en=Clickjacking
- http:header=x-content-type-options
- http:header=x-frame-options
- http:header=referrer-policy
- wikipedia:en=Man-in-the-middle_attack
- http
- hsts
- wikipedia:en=Data_breach
- csp
- security
- http:header=content-security-policy
- sri
- wikipedia:en=Cross-site_request_forgery
- wikipedia:en=Session_hijacking
Annotators
URL
-
- Sep 2021
-
www.reddit.com www.reddit.com
-
t's also why it is so annoying to people who actually know what they are doing, when randomly the browser decides to take over a function provided for decades by the OS network stack, and with no notice start bypassing all the infrastructure they set up to their liking (like your hosts file) and funelling all their browsing habits to some shady company (Cloudflare).
-
-
-
Cheek, N. N., Reutskaja, E., & Schwartz, B. (2021). Balancing the Freedom-Security Tradeoff During Crises and Disasters [Preprint]. PsyArXiv. https://doi.org/10.31234/osf.io/8y2zt
-
- Feb 2021
-
www.sciencedirect.com www.sciencedirect.com
-
Partha, D., & David, P. A. (1994). Toward a new economics of science. Research Policy, 23(5), 487–521. https://doi.org/10.1016/0048-7333(94)01002-1
-
-
medium.com medium.com
-
I have a Content Security Policy!Oh, do you now.And did somebody tell you that this would prevent malicious code from sending data off to some dastardly domain? I hate to be the bearer of bad news, but the following four lines of code will glide right through even the strictest content security policy.
-
- Jan 2021
-
-
atomiks.github.io atomiks.github.ioThemes1
-
The CSS automatically gets injected into <head> with the CDN (tippy-bundle). With CSP enabled, you may need to separately link dist/tippy.css and use dist/tippy.umd.min.js instead.
-
- Nov 2020
-
img1.wsimg.com img1.wsimg.com
-
github.com github.com
-
If your Svelte components contain <style> tags, by default the compiler will add JavaScript that injects those styles into the page when the component is rendered. That's not ideal, because it adds weight to your JavaScript, prevents styles from being fetched in parallel with your code, and can even cause CSP violations. A better option is to extract the CSS into a separate file. Using the emitCss option as shown below would cause a virtual CSS file to be emitted for each Svelte component. The resulting file is then imported by the component, thus following the standard Webpack compilation flow.
-
- Oct 2020
-
covid-19.iza.org covid-19.iza.org
-
IZA – Institute of Labor Economics. ‘COVID-19 and the Labor Market’. Accessed 6 October 2020. https://covid-19.iza.org/publications/dp13650/.
Tags
- is:report
- men
- disadvantaged minorities
- labour market
- less educated
- American Community Survey
- demographic market
- COVID-19
- frontline workers
- researchers
- lang:en
- social insurance
- policy makers
- Hispanics
- lockdown
- safety net policy
- microdata
- lower wages
- Department of Homeland Security (DHS)
- essential workers
- immigrants
Annotators
URL
-
- Jul 2020
-
www.thelancet.com www.thelancet.com
-
Barlow, Pepita, Rachel Loopstra, Valerie Tarasuk, and Aaron Reeves. “Liberal Trade Policy and Food Insecurity across the Income Distribution: An Observational Analysis in 132 Countries, 2014–17.” The Lancet Global Health 8, no. 8 (August 1, 2020): e1090–97. https://doi.org/10.1016/S2214-109X(20)30263-1.
-
- Jun 2020
-
www.forbes.com www.forbes.com
-
On April 24, the U.S. National Security Agency published an advisory document on the security of popular messaging and video conferencing platforms. The NSA document “provides a snapshot of best practices,” it says, “coordinated with the Department of Homeland Security.” The NSA goes on to say that it “provides simple, actionable, considerations for individual government users—allowing its workforce to operate remotely using personal devices when deemed to be in the best interests of the health and welfare of its workforce and the nation.” Again somewhat awkwardly, the NSA awarded top marks to WhatsApp, Wickr and Signal, the three platforms that are the strongest advocates of end-to-end message encryption. Just to emphasize the point, the first criteria against which NSA marked the various platforms was, you guessed it, end-to-end encryption.
-
- May 2020
-
csp.withgoogle.com csp.withgoogle.com
-
However, it's possible to enforce both a whitelist and nonces with 'strict-dynamic' by setting two policies:
-
-
www.w3.org www.w3.org
-
sadness.js will not load, however, as document.write() produces script elements which are "parser-inserted".
Tags
Annotators
URL
-
-
developer.chrome.com developer.chrome.comjudell1
-
If a user clicks on that button, the onclick script will not execute. This is because the script did not immediately execute and code not interpreted until the click event occurs is not considered part of the content script, so the CSP of the page (not of the extension) restricts its behavior. And since that CSP does not specify unsafe-inline, the inline event handler is blocked.
-
-
www.iubenda.com www.iubenda.com
-
-
Remember that nonces must be regenerated for every page request and they must be unguessable.
-
-
www.givelify.com www.givelify.com
Tags
Annotators
URL
-
-
-
I will need to find a workaround for one of my private extensions that controls devices in my home network, and its source code cannot be uploaded to Mozilla because of my and my family's privacy.
-
- Apr 2020
-
guides.rubyonrails.org guides.rubyonrails.org
-
When sanitizing, protecting or verifying something, prefer whitelists over blacklists.
-
-
www.troyhunt.com www.troyhunt.com
-
Q. I would like a copy of my data from a breach, can you please send it to me? A. No, I cannot Q. I have a breach I would like to give you in exchange for “your” breach, can you please send it to me? A. No, I cannot Q. I’m a security researcher who wants to do some analysis on the breach, can you please send it to me? A. No, I cannot Q. I’m making a searchable database of breaches; can you please send it to me? A. No, I cannot Q. I have another reason for wanting the data not already covered above, can you please send it to me? A. No, I cannot
-
-
www.nature.com www.nature.com
-
McKee, M., Stuckler, D. If the world fails to protect the economy, COVID-19 will damage health not just now but also in the future. Nat Med (2020). https://doi.org/10.1038/s41591-020-0863-y
-
-
lsts.research.vub.be lsts.research.vub.be
-
-
The fact is that it doesn’t matter if you can see the threat or not, and it doesn’t matter if the flaw ever leads to a vulnerability. You just always follow the core rules and everything else seems to fall into place.
-
-
www.troyhunt.com www.troyhunt.com
-
www.troyhunt.com www.troyhunt.com
-
trim off a bunch of excessive headers such as the content security policy HIBP uses (that's of no use to a lone API endpoint).
-
- Nov 2019
-
csp.withgoogle.com csp.withgoogle.com
-
Why can't I keep using script whitelists in CSP? The traditional approach of whitelisting domains from which scripts can be loaded is based on the assumption that all responses coming from a trusted domain are safe, and can be executed as scripts. However, this assumption does not hold for modern applications; some common, benign patterns such exposing JSONP interfaces and hosting copies of the AngularJS library allow attackers to escape the confines of CSP.
Tags
Annotators
URL
-
-
stackoverflow.com stackoverflow.com
-
However, a broader problem is that your script-src whitelist includes domains that host Javascript which can be used by an attacker who finds a markup injection bug in your application to bypass your CSP. For example, https://cdnjs.cloudflare.com hosts Angular (https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.7.2/angular.min.js) which can be used by an attacker to convert an HTML injection into arbitrary script execution (here is a paper about this).
-
- Sep 2019
-
github.com github.com
-
github.com github.com
-
developers.google.com developers.google.com
-
csp.withgoogle.com csp.withgoogle.com
- Feb 2016
-
github.com github.com
-
In Firefox, one can disable Content Security Policy by changing security.csp.enable to false in about:config
Websites using Content Security Policy can be annoted with hypothes.is in Firefox by switching (in about:config ) security.csp.enable to false
-