Neu im Forum:

CSP Problem mit Matomo

https://t3forum.net/d/899-csp-problem-mit-matomo

#t3academyforum #matomo #contentsecuritypolicy

I have no patience for dealing with the #RubyOnRails core team, but if •you• do, then…

It would be super if it were possible to append values to the #ContentSecurityPolicy configuration. For example:

```ruby
Rails.application.configure do
config.content_security_policy do |policy|
policy.script_src :self, :https

if Rails.env.development?
policy.script_src << :unsafe_inline
end
end
end
```

Template initializer source: https://github.com/rails/rails/blob/main/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt

Neu im Forum:

CSP für externe Scripte

https://t3forum.net/d/834-csp-fuer-externe-scripte

#t3academyforum #ContentSecurityPolicy #ExterneScripte

Des experts en #ContentSecurityPolicy ?

Pour mon site, j'ai :

<meta http-equiv="Content-Security-Policy" content="default-src https: data: 'unsafe-eval' 'unsafe-inline'; object-src 'none'">

Mozilla Observatory me dit :

Remove unsafe-inline and data: from script-src, overly broad sources from object-src and script-src, and ensure object-src and script-src are set.

Et si je mets :

Content-Security-Policy: default-src 'self';

ça casse mon site, mais je ne vois pas pourquoi. Quelqu'un saurait me dire ce qu'il me faut écrire, les ressources étant toutes sur mon site ?
Merci :)

Apropos of nothing, can anyone recommend any services that aggregate CSP policy reports that are suitable for hobby websites? (i.e. are free, because I just want to do the right thing where I can, and don't care enough to pay for it because it's not vital to operations)

#WebDev #Webmaster #CSP #ContentSecurityPolicy

Neu im Forum:
Instanz für gepachte Extensions – wie macht ihr das?
https://forum.t3academy.de/d/657-instanz-fuer-gepachte-extensions-wie-macht-ihr-das
#t3academyforum #TYPO3Extension #ContentSecurityPolicy

#contentsecuritypolicy #csp an important additional line of defense for #webapplication to protect #security and #privacy of your user. You can add them to any web applications (even if you do not have the code!). More information: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Content security policy for #wordpress: https://jornfranke.codeberg.page/technology-tutorials/wordpress-csp/

Content security policy for your own #springboot and #angular application: https://codeberg.org/ZuInnoTe/spring-boot-angular-example

Excellent. I figured out why Mastodon didn't work on Firefox. Apparently ANY tool that either changes the format of the webpage (disables javascript) including things that change the format (css) can cause catastrophe.

The solution for me was adding all mastodon-type pages to the black-list for 'bionic reader'.

#mastodon #firefox #error #contentsecuritypolicy

Today in ridiculous Web browser bugs:

https://bugzilla.mozilla.org/show_bug.cgi?id=1773976

#Firefox #ContentSecurityPolicy #SVG

Setting up CSP headers closer to the client helps - setting up CSP headers as meta tags inside the index.html. This is protecting your website as early in the process as possible.

https://www.youtube.com/watch?v=iHEs4hUIR5Q

#contentsecuritypolicy #websitesecurity

@qubyte I've written down my experience in a blog post and created a sample repository https://lennybacon.com/posts/jsmodulesimportmapsandcontentsecuritypolicy/

#CSP #ContentSecurityPolicy #ImportMaps #EcmaScript #ECMAScriptModules

Our first #OpenSource release since our company was legally constituted. Not a big deal, but sort of a milestone :D.

A package to improve the security of your Astro site against #XSS attacks:
https://www.npmjs.com/package/@kindspells/astro-sri-csp

#Astrobuild #WithAstro #ContentSecurityPolicy #SubresourceIntegrity #WebSecurity

This is a great article to familiarize yourself with the Content Security Policy (#CSP) security concept. Many thanks to #b13 for sharing the well-founded information. #TYPO3 #CyberSecurity #ContentSecurityPolicy
https://b13.com/blog/introduction-to-content-security-policy-csp

Implementing a halfway decent #contentsecuritypolicy is like herding cats.

The sheer number of random domains that third party services use is insane.

It's 2024 and modern #javascript libraries still need you to allow unsafe-eval in your #contentsecuritypolicy :(

@me So the missing css look like a #csp issue.

#ContentSecurityPolicy #MastoAdmin #selfhosted #arghhhhhhh

i'm annoyed that a good #contentSecurityPolicy doesn't let me just dump raw #javascript into #html anymore. that was really convenient.

#csp #webdev #frontend

Wie baue ich eine Content Security Policy (CSP) die nicht die ganze Webseite kaputt macht? :D

#ContentSecurityPolicy #CSP #ITSicherheit #Webseiten #Website #Followerpower

Today I learned about Google's CSP evaluator.

Feed it a Content Security Policy or a link to a website where it can infer one, and it will evaluate it.

https://csp-evaluator.withgoogle.com/

#ContentSecurityPolicy #CSP

Looking into the current state-of-the-art for #NodeJS security and I'm kind of baffled by how primitive it is compared to browsers.

* No #TrustedTypes.
* No `SafeHtml`.
* No #ContentSecurityPolicy.
* No permission abstractions.
* Not even a way to ban `eval()`.

Best thing I've found is `--frozen-intrinsics`, which is interesting, and I don't think there's a browser equivalent. You still have to freeze `globalThis` though to get much value out of it.

https://nodejs.org/en/docs/guides/security/#monkey-patching-cwe-349

There are also some interesting security policies, which look like they have a lot of potential. However they're all experimental right now and seem focused on code integrity.

https://nodejs.org/api/permissions.html

This this really the state-of-the-art for #Node security right now? Am I missing something?