Spring BootによるAPIバックエンド構築実践ガイド 第2版 何千人もの開発者が、InfoQのミニブック「Practical Guide to Building an API Back End with Spring Boot」から、Spring Bootを使ったREST API構築の基礎を学んだ。この本では、出版時に新しくリリースされたバージョンである Spring Boot 2 を使用している。しかし、Spring Boot3が最近リリースされ、重要な変...
A CDN that can not XSS you Using Subresource Integrity about:frederik Frederik Braun Security Engineer at Mozilla fbraun@mozilla.com https://frederik-braun.com @freddyb Why am I here? https://www.mozilla.org/en-US/about/manifesto/ Content Delivery Networks <script src="https://code.jquery.com/jquery-2.1.4.min.js"></script> <link href='http://fonts.googleapis.com/css?family=PT+Sans…' rel='styleshe
SVG Exploiting Browsers without Image Parsing Bugs Rennie deGraaf iSEC Partners 07 August 2014 Rennie deGraaf (iSEC Partners) SVG Security BH USA 2014 1 / 55 Outline 1 A brief introduction to SVG What is SVG? Using SVG with HTML SVG features 2 Attacking SVG Attack surface Security model Security model violations 3 Content Security Policy A brief introduction CSP Violations 4 Conclusion Rennie deGr
Content Security Policy (CSP) is as a security concept aiming to prevent XSS and other forms of browser–based attacks right where they happen — in the browser. CSP has been around for a little while but it’s only now that browser vendors are closing in on implementing most of the W3C specification. This talk will take a look at what CSP is, why it matters and how to use it with Ruby–based web appl
Content-Security-Policy の nonce を利用すると、XSS の脅威をかなり軽減できます。 そこで、Web Application Framework ではデフォルトで対応したほうがよいのではないか、という旨を @hasegawayosuke さんから教えて頂いたので、実装について考えてみました。 とりあえず CSP の nonce はどういうものなのかを考慮するために、コード例を探していたのですが、実際に動くサンプルというものが nonce 関連のもので見当たりませんでした。 そこで、実際に動くサンプルを用意しました。 https://github.com/tokuhirom/csp-nonce-sample 以下は Sinatra で書かれたサンプルコードです。 require 'sinatra' require 'securerandom' get '/' d
UI Security and the Visibility API defines both a declarative and imperative means for resources displayed in an embedded context to protect themselves against having their content obscured, moved, or otherwise displayed in a misleading manner. This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publi
While conversing with Mike West, I was told there's a need for JS API proposals for CSPs. Since this is an interest of mine, I thought I'd take a crack at it. He pointed me to a few reference points to get started: Use-Case Zero An Extensible Approach to Browser Security Policy To collect their suggestions, the API should be reflectable, perhaps be event-based (an "approval hook") and give clear o
If Content Security Policy is enabled for protection against cross-site scripting attacks (i.e. the unsafe-inline option is not set), the use of inline <script>s is not allowed. In that case, how can we pass server-generated data to the front-end without negatively affecting load time and run-time performance? Introduction A common way to pass server-generated JSON-formatted data to the client so
Postcards from the post-XSS world (2011) Michal Zalewski, <lcamtuf@coredump.cx> 1. Introduction HTML markup injection vulnerabilities are one of the most significant and pervasive threats to the security of web applications. They arise whenever, in the process of generating HTML documents, the underlying code inserts attacker-controlled variables into the output stream without properly screening t
Programming is difficult — and difficult things generally don’t have a perfect solution. As an example, cross-site scripting (XSS) is still very much unsolved. It’s very easy to think you’re doing the right thing at the right time, but there are two opportunities to fail here: the fix might not be correct, and it might not be applied correctly. Escaping content (while still the most effective way
Ben Vinegar Software engineer at Disqus Co-author, Third-party JavaScript (Manning) Once ate 7 McDonald's cheeseburgers in one sitting Implemented Content Security Policy in Disqus Cross-Site Scripting (XSS) This is still a problem Cross-site scripting (XSS) Vulnerability where attacker injects JavaScript code into a web document <?php $name = $_GET['name']; echo "Welcome $name"; ?> GET http://urs
EngineeringContent Security PolicyWe've started rolling out a new security feature called "Content Security Policy" or CSP. As a user, it will better protect your account against XSS attacks. But, be aware, it… We’ve started rolling out a new security feature called “Content Security Policy” or CSP. As a user, it will better protect your account against XSS attacks. But, be aware, it may cause iss
CSP Readiness This is a test page to show how ready your browser is in it's Content Security Policy support. Currently tests img, object, script, style and iframe + inline and eval Version 1.1 - Based on latest spec at w3c. Is using Content-Security-Policy Version 1.1 with prefixed headers - Based on latest spec at w3c. 1.0 with proper header name - Based on the 1.0 spec at w3c. Is using Content-S
Chromeの拡張機能はmanifest v2からCSP対応とかでいろいろと制限が厳しくなったわけですが、そもそもそのCSPがよく分からなかったので、HTML5Rocksの入門記事を訳してみました。 ところどころよく分からなくて適当に訳してたりするので、おやっ?と思ったら原文参照のこと。 http://www.html5rocks.com/en/tutorials/security/content-security-policy/ コンテントセキュリティポリシー入門 注: この記事はまだ完全に標準化を終えておらず不安定なAPIについて述べています。自身のプロジェクトで実験的なAPIを使う場合には注意が必要です。 ウェブのセキュリティモデルは同一生成元ポリシーにその根拠を持ちます。 https://mybank.com のコードは https://mybank.com のデータにだけアクセス
$200K 1 10th birthday 4 abusive ads 1 abusive notifications 2 accessibility 3 ad blockers 1 ad blocking 2 advanced capabilities 1 android 2 anti abuse 1 anti-deception 1 background periodic sync 1 badging 1 benchmarks 1 beta 83 better ads standards 1 billing 1 birthday 4 blink 2 browser 2 browser interoperability 1 bundles 1 capabilities 6 capable web 1 cds 1 cds18 2 cds2018 1 chrome 35 chrome 81
リリース、障害情報などのサービスのお知らせ
最新の人気エントリーの配信
処理を実行中です
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く