Content Security Policy applied to Single Page Applications: Is it worth it with unsafe-inline?

does applying ‘unsafe-inline’ render CSP more or less pointless?

Preventing XSS is one of the main benefits of a CSP. If you need to allow inline scripts, that benefit is mostly gone.

But there are still some situations where a CSP can prevent exploitation of issues. Examples:

  • Clickjacking: a CSP can prevent it
  • HTML injection: Even if no XSS can be gained, HTML injections can be used to exfiltrate data. A CSP may be able to mitigate some of the impact (by restricting form actions, images sources, etc)
  • CSS injection: If you don’t have inline CSS, you can prevent CSS injection via CSP
  • even with unsafe-inline, a CSP may make XSS more difficult to exploit. The easiest way to exploit XSS is to include a remote script, as an attacker doesn’t have to worry about length or special character restrictions in the payload
  • enforce content to be loaded via HTTPS

Does anyone have any good ideas of how to handle CSP on an SPA?

The same way as with any application: Don’t have inline scripts. Instead, you should have all your scripts in .js files, which you then include from a trusted origin (this actually seems easier to achieve in a SPA compared to a classic application which may have inline JavaScript all over the place).

You can also allow a specific script block using a nonce or hash source (which implemented correctly prevents XSS).

Even if you need to allow unsafe-inline for now, I’d still recommend implementing a CSP which is as restrictive as possible given the situation.

It will help you implement future features in a way compatible with a restrictive CSP. And when you get around to removing inline js, you just need to remove unsafe-inline from the CSP that you have in place already (instead of having multiple issues to worry about implementing a new CSP).

tpm – What kind of “actions” can a TPM2 policy authorize?

I’ve been instructed to use the state of our system’s TPM’s PCR registers to prevent the system we’re working on from booting if one of the PCR registers is different from what we expect. In service of that goal, I’m reading over this article: https://threat.tevora.com/secure-boot-tpm-2/

there is a paragraph near the middle that reads:

TPM2 has the ability to create policies based off of PCRs: If the PCR contents do not match expectations, the policy will not authorize the action.

What kind of actions are they talking about here? And what would be the immediate ramifications if the action was not authorized?


Some background:
Before today, I was under the impression that the principle trick of the TPM was to encrypt or decrypt data using a key that the TPM holds securely. Now this article suggests that the TPM can also (two different functions) encrypt or decrypt data based on the current state of its’ PCR registers… this seems similar enough to my previous understanding that I can believe it.

If my understanding is correct, I can see how this would be useful to our project’s goals; encrypt a blob of data that is critical to the success of the boot (say… the kernel*) with the state of the PCR registers while the PCR registers are in a known-trustworthy state (i.e. while known-trustworthy software is loaded). If software that writes different PCR registers replaces the known-trustworthy software, then the kernel blob won’t decrypt properly, and execution “halts”. Presumably there are ways to handle this halting gracefully, like Bitlocker or LUKS; I imagine if I just encrypted executable code and then decrypted it with the wrong key, it would produce gibberish, and the machine would do unexpected things rather than halt gracefully when running that gibberish.

A co-worker has taken the position that there’s a simpler way; that a TPM can permit or refuse an action directly… so, like, it halts the processor or something, I guess? He doesn’t express himself very well, and when I tried to summarize his position he told me I got it wrong, so… I’m deliberately keeping the details of his position scant. Suffice it to say, my understanding of what a TPM does wouldn’t allow for what he describes…

You could interpret the two sentences from the article as supporting his position, or mine, depending on what actions it is possible to ask the TPM to authorize, and what the immediate consequences ramifications of the TPM denying you the authorization to do something. Does anyone here have an opinion?

*…how would I “encrypt the kernel”, exactly? :-p

fstab – GCSFuse keeps generating dummy files on mounted bucket that can’t be deleted due to retention policy

I’m currently setting up a GCP storage bucket on my instance which will be used for backups. I have currently configured fstab to mount the bucket on startup using the following config.

cpanel1-vm-backups /mount/backups gcsfuse rw,user

The problem is that GCSFuse keeps generating random files which it can’t delete due to the retention policy on the bucket so I end up with hundreds of files with randomly generated filenames in my bucket.

After disabling the retention policy the random files stop appearing in the bucket but I need to have this retention policy in place for redundancy reasons.

Any recommendations to resolving this?

Reverse group policy for folder redirection

I created a group policy that will redirect my documents folders of the users on my company to a folder I created in a Windows 10 machine. I deleted the GPO without checking the box “Redirect the folder back to the local user profile location when the policy is removed”. Now the users can only access their files only if they log in to the specific machine where their folder was redirected. Is there any way to redirect back those folders to the users even though I deleted the policy? I tried to link a test OU to the earlier policy that I deleted to restore it and try to select “Redirect the folder back to the local user profile location when the policy is removed” checked “Move the contents of (folder name) to the new location” and set the Target folder location to “Redirect to the local user profile location but still no luck. I also tried creating a new policy and put at the scope some of the users that were having the issue and select “Redirect the folder back to the local user profile location when the policy is removed and set the Target folder location to “Redirect to the local user profile location and check “Move the contents of (folder name) to the new location” but still, the folders are present on the Windows 10 machine. Any idea how I can fix this?

booking.com cancellation policy – Travel Stack Exchange

Stack Exchange Network


Stack Exchange network consists of 176 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Visit Stack Exchange

Bitcoin enthusiasts unhappy with new Twitter policy | NewProxyLists

Warning on winnings: All articles published here are simply based on individual opinions, and they do not expressly or imply those of NewProxyLists or its owner. It is hereby clarified that NewProxyLists does not endorse, support, endorse or guarantee any opinion, program and / or business opportunity published here. NewProxyLists does not give and / or offer any investment advice to any member and / or reader. All members and readers are advised to independently consult their own consultants, lawyers and / or families before making any investment and / or commercial decisions. This forum is just a place for general discussion. It is hereby agreed by all members and / or readers that NewProxyLists is in no way liable and / or liable for damages and / or losses suffered by anyone of you.

[ Politics ] Open question: POLICY: What is the REAL reason why Democrats use coronavirus to destroy the US economy? Give an explanation.?

[Politics] Open question: POLICY: What is the REAL reason why Democrats are using coronavirus to destroy the US economy? Give an explanation.?

amazon web services – What is the metric period for target tracking scaling policy

I have activated the scaling strategy and am trying to figure out when I should set my threshold. The metric on which I operate is request count per target

If I navigate to

Target Groups > MyTargetGroup > Monitoring > Request Count Per Target 

The period is set to 5 minutes by default. I thought it would be the period in which I should set my goal, but it doesn't seem right.

Can someone help me determine the right period

group policy – Define scale settings in the nvida control panel using GPO / Registry

We need to set the scaling parameters in the nvidia control panel of all monitors without scaling and "Perform scaling" on GPU. Is there a way to do this with a GPO or a registry key? Or any other way than doing it manually on each client?

Setting the scale to 100% in Windows settings is not enough, because software we use only works if the scale in Windows settings and NVIDIA is correct.

magento2.3.5 – Magento 2.3.5 content security policy directive: "img-src

Upgrade to 2.3.5 and now get this error below on the site on each page:

[Report only] Refuse to load image
"Blob: http: //my.domayn.com/axxxxxxxxxxxx" because it violates the
following content security policy directive: "img-src
widgets.magentocommerce.com www.googleadservices.com
www.google-analytics.com t.paypal.com www.paypal.com
www.paypalobjects.com fpdbs.paypal.com fpdbs.sandbox.paypal.com
* .vimeocdn.com s.ytimg.com & # 39; self & # 39; & # 39; unsafe-inline & # 39; ".

Does anyone face the same problem?