content-security-policy

Javascript Template Engines that work with Chrome's Content Security Policy

点点圈 提交于 2020-01-01 08:21:11
问题 The Chrome API's Manifest version 2 has removed the ability to do unsafe-eval. This means using the eval function or in general dynamically creating a function from text. It seems like most if not all Javascript Templating Engines do this. I was using Jaml, but I tried several others like backbone.js (which really uses underscore.js's templating engine) with no luck. This comment on the Chromium project seems to indicate that there are a great many libraries that suffer from this. I think

How to use jinja2 server side rendering alongside react without violating inline-script CSP

你说的曾经没有我的故事 提交于 2020-01-01 03:36:10
问题 I am new to React and experimenting a bit. I would like to use it on my Flask site that uses Jinja2 templates. People seem to recommend to render data on the server-side first instead of having to always make an initial call for data on page load. I found this nodejs example but it just puts the data on the page in a global variable in an inline script tag. I was wondering if there was a clean way to do this other than just putting the data on the page inside an inline script tag. Because of

Content-Security-Policy in ASP.NET WebForms

╄→尐↘猪︶ㄣ 提交于 2020-01-01 01:33:08
问题 I'm looking for a good way to implement a relatively strong Content-Security-Policy header for my ASP.NET WebForms application. I'm storing as much JavaScript as possible in files instead of inline, but by default, WebForms injects a lot of inline script for things as simple as form submission and basic AJAX calls. MVC has some simple ways to implement nonces, especially with the help of third party libraries like NWebsec, but I can't seem to find any methods of implementing them with

Change innerHTML set on the fly

[亡魂溺海] 提交于 2019-12-30 13:39:06
问题 I need to change on the fly the value set on every node using the innerHTML. The closest solution I found is: ... Object.defineProperty(Element.prototype, 'innerHTML', { set: function () { // get value (ok) var value = arguments[0]; // change it (ok) var new_value = my_function(value); // set it (problem) this.innerHTML = new_value; // LOOP } } ... But obviously it's an infinite loop. Is there a way to call the original innerHTML set? I also try the Proxy way but i could not make it work.

Change innerHTML set on the fly

若如初见. 提交于 2019-12-30 13:38:21
问题 I need to change on the fly the value set on every node using the innerHTML. The closest solution I found is: ... Object.defineProperty(Element.prototype, 'innerHTML', { set: function () { // get value (ok) var value = arguments[0]; // change it (ok) var new_value = my_function(value); // set it (problem) this.innerHTML = new_value; // LOOP } } ... But obviously it's an infinite loop. Is there a way to call the original innerHTML set? I also try the Proxy way but i could not make it work.

Can not make GWT application work as Chrome packaged app, probably due to CSP

妖精的绣舞 提交于 2019-12-30 03:18:27
问题 Keep getting CSP errors: "Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'" The problem is probably due to HTML files generated by GWT which contain inline JS. UPD : Changing to manifest version 1 helped, but this is a temporary workaroud, as Chrome 21 complains that it will no longer be supported. UPD2: <add-linker name="xsiframe" /> does not help either 回答1: GWT 2.5.1 has finally fixed this problem. The release notes

Content Security Policy in Chrome App

穿精又带淫゛_ 提交于 2019-12-30 00:13:30
问题 My Chrome app has the following manifest: { "name": ", "version": "1.0.3", "manifest_version": 2, "description": "Chrome Extension for.", "icons": { "16": "images/test.png", "19": "images/test.png", "256": "images/test.png" }, "app": { "background": { "scripts": [ "background.js" ] } }, "sandbox": { "js": [ "lib/test-api.js" ] }, "permissions": [ "<all_urls>", "notifications", "storage", "videoCapture" ] } I have a script file that runs eval . I have read about CSP and sandboxing, but I still

Allow All Content Security Policy?

蓝咒 提交于 2019-12-29 03:54:27
问题 Is it possible to configure the Content-Security-Policy to not block anything at all? I'm running a computer security class, and our web hacking project is running into issues on newer versions of Chrome because without any CSP headers, it's automatically blocking certain XSS attacks. 回答1: For people who still want an even more permissive posts, because the other answers were just not permissive enough, and they must work with google chrome for which * is just not enough: default-src * data:

Content Security Policy 入门教程

喜你入骨 提交于 2019-12-28 09:04:13
跨域脚本攻击 XSS 是最常见、危害最大的网页安全漏洞。 为了防止它们,要采取很多编程措施,非常麻烦。很多人提出,能不能根本上解决问题,浏览器自动禁止外部注入恶意脚本?这就是"网页安全政策"(Content Security Policy,缩写 CSP)的来历。本文详细介绍如何使用 CSP 防止 XSS 攻击。 ​​ 一、简介 CSP 的实质就是白名单制度,开发者明确告诉客户端,哪些外部资源可以加载和执行,等同于提供白名单。它的实现和执行全部由浏览器完成,开发者只需提供配置。CSP 大大增强了网页的安全性。攻击者即使发现了漏洞,也没法注入脚本,除非还控制了一台列入了白名单的可信主机。 两种方法可以启用 CSP。一种是通过 HTTP 头信息的Content-Security-Policy的字段。 Content-Security-Policy: script-src 'self'; object-src 'none'; style-src cdn.example.org third-party.org; child-src https: 另一种是通过网页的<meta>标签。 <meta http-equiv="Content-Security-Policy" content="script-src 'self'; object-src 'none'; style-src cdn

Refused to load the script because it violates the following Content Security Policy directive

∥☆過路亽.° 提交于 2019-12-27 11:39:12
问题 When I tried to deploy my app onto devices with android system above 5.0.0, I kept getting this kind of error messages: 07-03 18:39:21.621: D/SystemWebChromeClient(9132): file:///android_asset/www/index.html: Line 0 : Refused to load the script 'http://xxxxx' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'unsafe-inline'". 07-03 18:39:21.621: I/chromium(9132): [INFO:CONSOLE(0)] "Refused to load the script 'http://xxx' because it violates
订阅 content-security-policy