Kunal Mehta<p>New tool: resource-rewriter</p><p><a href="https://lib.rs/crates/resource-rewriter" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">lib.rs/crates/resource-rewrite</span><span class="invisible">r</span></a></p><p>It takes a single HTML file with inline styles and scripts and rewrites them to be compatible with a more restrictive Content-Security-Policy (and a few other things).</p><p>I still have a few more things I'd like to add in, like automated CSP generation, a WASM playground and maybe handling style= attributes. A blog post will follow once that's in place :)</p><p><a href="https://wikis.world/tags/Rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Rust</span></a> <a href="https://wikis.world/tags/ContentSecurityPolicy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ContentSecurityPolicy</span></a> <a href="https://wikis.world/tags/CSP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CSP</span></a></p>
techhub.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A hub primarily for passionate technologists, but everyone is welcome
Administered by:
Server stats:
4.6Kactive users
techhub.social: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.2
#contentsecuritypolicy
0 posts · 0 participants · 0 posts today
Wolfgang Wagner<p>Neu im Forum:</p><p>CSP Problem mit Matomo</p><p><a href="https://t3forum.net/d/899-csp-problem-mit-matomo" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="ellipsis">t3forum.net/d/899-csp-problem-</span><span class="invisible">mit-matomo</span></a></p><p><a href="https://techhub.social/tags/t3academyforum" class="mention hashtag" rel="tag">#<span>t3academyforum</span></a> <a href="https://techhub.social/tags/matomo" class="mention hashtag" rel="tag">#<span>matomo</span></a> <a href="https://techhub.social/tags/contentsecuritypolicy" class="mention hashtag" rel="tag">#<span>contentsecuritypolicy</span></a></p>
Jason Garber<p>I have no patience for dealing with the <a href="https://indieweb.social/tags/RubyOnRails" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RubyOnRails</span></a> core team, but if •you• do, then…</p><p>It would be super if it were possible to append values to the <a href="https://indieweb.social/tags/ContentSecurityPolicy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ContentSecurityPolicy</span></a> configuration. For example:</p><p>```ruby<br>Rails.application.configure do<br> config.content_security_policy do |policy|<br> policy.script_src :self, :https</p><p> if Rails.env.development?<br> policy.script_src << :unsafe_inline<br> end<br> end<br>end<br>```</p><p>Template initializer source: <a href="https://github.com/rails/rails/blob/main/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/rails/rails/blob/ma</span><span class="invisible">in/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt</span></a></p>
Wolfgang Wagner<p>Neu im Forum:</p><p>CSP für externe Scripte</p><p><a href="https://t3forum.net/d/834-csp-fuer-externe-scripte" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="ellipsis">t3forum.net/d/834-csp-fuer-ext</span><span class="invisible">erne-scripte</span></a></p><p><a href="https://techhub.social/tags/t3academyforum" class="mention hashtag" rel="tag">#<span>t3academyforum</span></a> <a href="https://techhub.social/tags/ContentSecurityPolicy" class="mention hashtag" rel="tag">#<span>ContentSecurityPolicy</span></a> <a href="https://techhub.social/tags/ExterneScripte" class="mention hashtag" rel="tag">#<span>ExterneScripte</span></a></p>
Pasquale 📷 🇫🇷 🦻<p>Des experts en <a href="https://piaille.fr/tags/ContentSecurityPolicy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ContentSecurityPolicy</span></a> ?</p><p>Pour mon site, j'ai :</p><p><meta http-equiv="Content-Security-Policy" content="default-src https: data: 'unsafe-eval' 'unsafe-inline'; object-src 'none'"></p><p>Mozilla Observatory me dit :</p><p>Remove unsafe-inline and data: from script-src, overly broad sources from object-src and script-src, and ensure object-src and script-src are set.</p><p>Et si je mets :</p><p>Content-Security-Policy: default-src 'self';</p><p>ça casse mon site, mais je ne vois pas pourquoi. Quelqu'un saurait me dire ce qu'il me faut écrire, les ressources étant toutes sur mon site ?<br>Merci :)</p>
IBBoard<p>Apropos of nothing, can anyone recommend any services that aggregate CSP policy reports that are suitable for hobby websites? (i.e. are free, because I just want to do the right thing where I can, and don't care enough to pay for it because it's not vital to operations)</p><p><a href="https://hachyderm.io/tags/WebDev" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebDev</span></a> <a href="https://hachyderm.io/tags/Webmaster" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Webmaster</span></a> <a href="https://hachyderm.io/tags/CSP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CSP</span></a> <a href="https://hachyderm.io/tags/ContentSecurityPolicy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ContentSecurityPolicy</span></a></p>
Wolfgang Wagner<p>Neu im Forum:<br />Instanz für gepachte Extensions – wie macht ihr das?<br /><a href="https://forum.t3academy.de/d/657-instanz-fuer-gepachte-extensions-wie-macht-ihr-das" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="ellipsis">forum.t3academy.de/d/657-insta</span><span class="invisible">nz-fuer-gepachte-extensions-wie-macht-ihr-das</span></a><br /><a href="https://techhub.social/tags/t3academyforum" class="mention hashtag" rel="tag">#<span>t3academyforum</span></a> <a href="https://techhub.social/tags/TYPO3Extension" class="mention hashtag" rel="tag">#<span>TYPO3Extension</span></a> <a href="https://techhub.social/tags/ContentSecurityPolicy" class="mention hashtag" rel="tag">#<span>ContentSecurityPolicy</span></a></p>
Jörn Franke<p><a href="https://mastodon.online/tags/contentsecuritypolicy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>contentsecuritypolicy</span></a> <a href="https://mastodon.online/tags/csp" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>csp</span></a> an important additional line of defense for <a href="https://mastodon.online/tags/webapplication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>webapplication</span></a> to protect <a href="https://mastodon.online/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> and <a href="https://mastodon.online/tags/privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>privacy</span></a> of your user. You can add them to any web applications (even if you do not have the code!). More information: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">developer.mozilla.org/en-US/do</span><span class="invisible">cs/Web/HTTP/CSP</span></a></p><p>Content security policy for <a href="https://mastodon.online/tags/wordpress" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>wordpress</span></a>: <a href="https://jornfranke.codeberg.page/technology-tutorials/wordpress-csp/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">jornfranke.codeberg.page/techn</span><span class="invisible">ology-tutorials/wordpress-csp/</span></a></p><p>Content security policy for your own <a href="https://mastodon.online/tags/springboot" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>springboot</span></a> and <a href="https://mastodon.online/tags/angular" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>angular</span></a> application: <a href="https://codeberg.org/ZuInnoTe/spring-boot-angular-example" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">codeberg.org/ZuInnoTe/spring-b</span><span class="invisible">oot-angular-example</span></a></p>
Chaoddity<p>Excellent. I figured out why Mastodon didn't work on Firefox. Apparently ANY tool that either changes the format of the webpage (disables javascript) including things that change the format (css) can cause catastrophe.</p><p>The solution for me was adding all mastodon-type pages to the black-list for 'bionic reader'.</p><p><a href="https://mastodon.social/tags/mastodon" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>mastodon</span></a> <a href="https://mastodon.social/tags/firefox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>firefox</span></a> <a href="https://mastodon.social/tags/error" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>error</span></a> <a href="https://mastodon.social/tags/contentsecuritypolicy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>contentsecuritypolicy</span></a></p>
Jason Garber<p>Today in ridiculous Web browser bugs:</p><p><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1773976" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">bugzilla.mozilla.org/show_bug.</span><span class="invisible">cgi?id=1773976</span></a></p><p><a href="https://mastodon.cc/tags/Firefox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Firefox</span></a> <a href="https://mastodon.cc/tags/ContentSecurityPolicy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ContentSecurityPolicy</span></a> <a href="https://mastodon.cc/tags/SVG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SVG</span></a></p>
Pablo's Spot<p>Setting up CSP headers closer to the client helps - setting up CSP headers as meta tags inside the index.html. This is protecting your website as early in the process as possible.</p><p><a href="https://www.youtube.com/watch?v=iHEs4hUIR5Q" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">youtube.com/watch?v=iHEs4hUIR5</span><span class="invisible">Q</span></a></p><p><a href="https://infosec.exchange/tags/contentsecuritypolicy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>contentsecuritypolicy</span></a> <a href="https://infosec.exchange/tags/websitesecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>websitesecurity</span></a></p>
Daniel Fisher(lennybacon)<p><span class="h-card" translate="no"><a href="https://mastodon.social/@qubyte" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>qubyte</span></a></span> I've written down my experience in a blog post and created a sample repository <a href="https://lennybacon.com/posts/jsmodulesimportmapsandcontentsecuritypolicy/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">lennybacon.com/posts/jsmodules</span><span class="invisible">importmapsandcontentsecuritypolicy/</span></a></p><p><a href="https://infosec.exchange/tags/CSP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CSP</span></a> <a href="https://infosec.exchange/tags/ContentSecurityPolicy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ContentSecurityPolicy</span></a> <a href="https://infosec.exchange/tags/ImportMaps" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ImportMaps</span></a> <a href="https://infosec.exchange/tags/EcmaScript" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EcmaScript</span></a> <a href="https://infosec.exchange/tags/ECMAScriptModules" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ECMAScriptModules</span></a></p>
KindSpells Labs<p>Our first <a href="https://mas.to/tags/OpenSource" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSource</span></a> release since our company was legally constituted. Not a big deal, but sort of a milestone :D.</p><p>A package to improve the security of your Astro site against <a href="https://mas.to/tags/XSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>XSS</span></a> attacks:<br><a href="https://www.npmjs.com/package/@kindspells/astro-sri-csp" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">npmjs.com/package/@kindspells/</span><span class="invisible">astro-sri-csp</span></a></p><p><a href="https://mas.to/tags/Astrobuild" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Astrobuild</span></a> <a href="https://mas.to/tags/WithAstro" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WithAstro</span></a> <a href="https://mas.to/tags/ContentSecurityPolicy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ContentSecurityPolicy</span></a> <a href="https://mas.to/tags/SubresourceIntegrity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SubresourceIntegrity</span></a> <a href="https://mas.to/tags/WebSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebSecurity</span></a></p>
Eric Harrer :typo3:<p>This is a great article to familiarize yourself with the Content Security Policy (<a href="https://phpc.social/tags/CSP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CSP</span></a>) security concept. Many thanks to <a href="https://phpc.social/tags/b13" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>b13</span></a> for sharing the well-founded information. <a href="https://phpc.social/tags/TYPO3" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TYPO3</span></a> <a href="https://phpc.social/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a> <a href="https://phpc.social/tags/ContentSecurityPolicy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ContentSecurityPolicy</span></a><br><a href="https://b13.com/blog/introduction-to-content-security-policy-csp" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">b13.com/blog/introduction-to-c</span><span class="invisible">ontent-security-policy-csp</span></a></p>
Nick Murison<p>It's 2024 and modern <a href="https://infosec.exchange/tags/javascript" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>javascript</span></a> libraries still need you to allow <code>unsafe-eval</code> in your <a href="https://infosec.exchange/tags/contentsecuritypolicy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>contentsecuritypolicy</span></a> :(</p>
benedikt<p><span class="h-card" translate="no"><a href="https://benedikts.social/@me" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>me</span></a></span> So the missing css look like a <a href="https://mstd.herrbenedikt.de/tags/csp" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>csp</span></a> issue. </p><p><a href="https://mstd.herrbenedikt.de/tags/ContentSecurityPolicy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ContentSecurityPolicy</span></a> <a href="https://mstd.herrbenedikt.de/tags/MastoAdmin" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MastoAdmin</span></a> <a href="https://mstd.herrbenedikt.de/tags/selfhosted" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>selfhosted</span></a> <a href="https://mstd.herrbenedikt.de/tags/arghhhhhhh" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>arghhhhhhh</span></a></p>
gemma lynn ⇒ ello@void<p>i'm annoyed that a good <a href="https://bsd.network/tags/contentSecurityPolicy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>contentSecurityPolicy</span></a> doesn't let me just dump raw <a href="https://bsd.network/tags/javascript" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>javascript</span></a> into <a href="https://bsd.network/tags/html" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>html</span></a> anymore. that was really convenient.</p><p><a href="https://bsd.network/tags/csp" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>csp</span></a> <a href="https://bsd.network/tags/webdev" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>webdev</span></a> <a href="https://bsd.network/tags/frontend" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>frontend</span></a></p>
Toby<p>Today I learned about Google's CSP evaluator.</p><p>Feed it a Content Security Policy or a link to a website where it can infer one, and it will evaluate it.</p><p><a href="https://csp-evaluator.withgoogle.com/" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="">csp-evaluator.withgoogle.com/</span><span class="invisible"></span></a></p><p><a href="https://masto.ai/tags/ContentSecurityPolicy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ContentSecurityPolicy</span></a> <a href="https://masto.ai/tags/CSP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CSP</span></a></p>
Doug Parker 🕸️<p>Looking into the current state-of-the-art for <a href="https://techhub.social/tags/NodeJS" class="mention hashtag" rel="tag">#<span>NodeJS</span></a> security and I'm kind of baffled by how primitive it is compared to browsers.</p><p>* No <a href="https://techhub.social/tags/TrustedTypes" class="mention hashtag" rel="tag">#<span>TrustedTypes</span></a>.<br />* No `SafeHtml`.<br />* No <a href="https://techhub.social/tags/ContentSecurityPolicy" class="mention hashtag" rel="tag">#<span>ContentSecurityPolicy</span></a>.<br />* No permission abstractions.<br />* Not even a way to ban `eval()`.</p><p>Best thing I've found is `--frozen-intrinsics`, which is interesting, and I don't think there's a browser equivalent. You still have to freeze `globalThis` though to get much value out of it.</p><p><a href="https://nodejs.org/en/docs/guides/security/#monkey-patching-cwe-349" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="ellipsis">nodejs.org/en/docs/guides/secu</span><span class="invisible">rity/#monkey-patching-cwe-349</span></a></p><p>There are also some interesting security policies, which look like they have a lot of potential. However they're all experimental right now and seem focused on code integrity.</p><p><a href="https://nodejs.org/api/permissions.html" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="">nodejs.org/api/permissions.html</span><span class="invisible"></span></a></p><p>This this really the state-of-the-art for <a href="https://techhub.social/tags/Node" class="mention hashtag" rel="tag">#<span>Node</span></a> security right now? Am I missing something?</p>
Jumping Rivers<p>Content Security Policy is a framework of modern-ish browsers used to give applications an extra layer of security! In this week's blog, we introduce the concept of Content Security Policy and teach some of the technical aspects!</p><p><a href="https://www.jumpingrivers.com/blog/content-security-policy-shiny-posit-connect/" rel="nofollow noopener" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">jumpingrivers.com/blog/content</span><span class="invisible">-security-policy-shiny-posit-connect/</span></a></p><p><a href="https://fosstodon.org/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Security</span></a> <a href="https://fosstodon.org/tags/RStats" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RStats</span></a> <a href="https://fosstodon.org/tags/r" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>r</span></a> <a href="https://fosstodon.org/tags/ContentSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ContentSecurity</span></a> <a href="https://fosstodon.org/tags/csp" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>csp</span></a> <a href="https://fosstodon.org/tags/ContentSecurityPolicy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ContentSecurityPolicy</span></a> <a href="https://fosstodon.org/tags/community" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>community</span></a> <a href="https://fosstodon.org/tags/blog" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>blog</span></a> <a href="https://fosstodon.org/tags/Shiny" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Shiny</span></a></p>
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload