content-security-policy

A Content Security Policy with a default-src or style-src directive will prevent inline styles from being applied to <style> elements or style attributes. To allow the use of inline styles, a value of unsafe-inline must be applied to a CSP fetch directive. This seems to indicate that inline styles are unsafe. While inline Javascript is an obvious attack vector for XSS attacks (CSP is pretty much useless with script-src 'unsafe-inline' ), Google Web Fundamentals considers inline-styles to be a relatively equivalent threat , providing one example of a clever data exfiltration method from a 2009

I'm trying to download multiple files in a Chrome extension. The following code creates a dummy link to a file, then triggers the .click() event which downloads the file. The problem is that only the first .click() event triggers a download. Subsequent .click() events are ignored. Here the manifest.json : { "name": "Simple File Downloader", "version": "0.1", "permissions": ["contextMenus", "http://*/"], "background": { "persistent": false, "scripts": ["sample.js"] }, "content_security_policy": "script-src 'self'; object-src 'self'", "manifest_version": 2 } Here the sample.js : function

How can I send custom HTTP headers with a bucket backend for Cloud CDN without the x-goog-meta- prefix? In particular, I'm trying to send a Content-Security-Policy header, which turns into x-goog-meta-Content-Security-Policy and thus is ignored by the browser. Screenshot: Google Storage/ Bucket Meta data UI Screenshot: Response headers 来源： https://stackoverflow.com/questions/43853564/custom-http-headers-with-google-cloud-cdn-and-bucket-backend

I have a webpage (say origin=A) that has an iframe embedded in it which loads from a different domain (say B). B loads bunch scripts from different domains (various CDNs). My webpage A sets pretty strict CSP like: default-src 'none'; script-src 'self'; frame-src B B doesn't set any CSP headers. Now I would expect the child frame, B, to inherit the CSP rules of A and trying to access various CDNs should be a violation of its CSP because of script-src 'self' but to my surprise, it works smoothly. So my question is: How CSP is inherited by child iframes ? Does it depend on its parent frame's CSP

The Chrome API's Manifest version 2 has removed the ability to do unsafe-eval. This means using the eval function or in general dynamically creating a function from text. It seems like most if not all Javascript Templating Engines do this. I was using Jaml, but I tried several others like backbone.js (which really uses underscore.js's templating engine) with no luck. This comment on the Chromium project seems to indicate that there are a great many libraries that suffer from this. I think Angular.js has a CSP-safe mode, but Angular.js is really too big for what we need. We just need a fairly

I have a web app which uses localStorage. Now we want to embed this web app on other (third-party) sites via iframe. We want to provide an iframe embed similar to youtube so that other websites can embed our web app in an iframe. Functionally it is the same as if it wouldn't be embedded. But it does not work. Chrome prints the error message: Uncaught SecurityError: Failed to read the 'localStorage' property from 'Window': Access is denied for this document. I just do the following check (in the iframe): if (typeof window.localStorage !== 'undefined') { // SETUP SESSION, AUHT, LOCALE, SETTINGS