I guess im asking the wrong place but does any of you know of a trick to log back into an instagram account..? I somehow forgot the password. I appreciate any tricks you can offer me.
this seemed to work without breaking it, but.... that is not default-src..... But the information says: Wildcard, allows any URL except data: blob: filesystem: schemes.
Hmm it breaks my menu button and the menu bar ends out to the left... I am running .PHP on my page, does the Star do anything in PHP that makes it break?
Thank you for explaining the CSP concept. but one thing isn't exactly clear to me. I'm implementing CSP in .htaccess in WordPress. Do I need to change any JS files? cause if I use CSP in .htaccess my site breaks or is half working. the thing with CSP is haunting me for weeks how to get this working...
No client side changes needed as long as the header is set correctly. You should get errors that target which resources are failing to load in the developer console though.
at the very moment I put the default in it breaks, I just tried to ruin it and it does not break the page : So apparently something seems to do something on my page that makes my menu break when I use the default feature.
default-src is the fallback. You should be defining the other types of sources though and have the proper values for each. image-src style-src script-src connect-src etc... For each on provide the domain names where you are willing to accept resources from. All the possible types of values are listed here - content-security-policy.com/
There are limitations and restrictions on iFrames for security reasons. developer.mozilla.org/en-US/docs/Web/HTML/Element/ You can find some ways to set the permissions for the through this MDN page.
Even a small typo can cause an error. If you are getting a CSP error then the problem is in the CSP content based on what you are requesting. Compare what you have in the CSP with what you have in your Network tab in the browser developer tools. Make sure all the domains match exactly.
what if i want to show preview of selected image and then want to send to server and at the same time i also want to make it as protected from other attack. so is there any chance to attacker to attack my site if i allow the site to base 64 image. if yes then how should i protect page.
The content security policy is really just telling the browser where it is allowed to load resources from - a specific domain, a specific protocol, the same domain as the html file, etc. If you tell the browser that it can load things from anywhere (or omit the meta tag entirely) then you are not protected at all. This is really only one part of protecting your webpages. You are telling the browser what servers you trust to give you safe assets.
I have a webpage that I am building & in the Console I am getting CSP warnings even though I have not added the CSP Meta tag yet... Can Anyone help? I have included Jquery but I can't think why it is using CSP without me specifying to do so?? Any ideas
My first question is why are you still using jQuery? Beyond that I would have to see the page and the exact error before I would be able to give you an answer.
That is not the point of the CSP policy. It is not to stop you user from downloading anything on your page. The point is to secure what is already there on the page. You want to prevent malicious scripts from loading assets, files, and scripts that come from URLs that you, as the developer, have not approved. The CSP lets you use a wildcard for everything but then it is pointless. You have not added any security to the site. You have done nothing to protect your users. Protecting the USER is the point of this policy.
@@SteveGriffith-Prof3ssorSt3v3 I know, This is where I'm getting confused. I Asked my hosting company to help me set this up & they have enabled it in the .htaccess file. But you can also have it in the meta tags. My .htaccess file has the following entry Header always set Content-Security-Policy: upgrade-insecure-requests. I set this to Report Only, & then Commented it out using a # but its still acting like its report only, even though my meta tags version is not set to report...
If you think that this is security bullshit that you have to circumvent then you are missing the point entirely. This is a way for developers to protect their users by making sure that files and assets are not being loaded from unknown or unwanted locations.
@@SteveGriffith-Prof3ssorSt3v3 Yea well.... you say so.... and there is always someone with some kind of a point of, see it is for your sake we have done it. The only thing it does is obstruct my webpage creating. Oh but for security reasons, like we don't want any app from the USB when connected to start - we remove the very usable feature. Oh yea, I know the game.
You've got a knack for delivering clear and concise information.
This helped me understand completely on all aspects of CSP header . Please do more content like this .
Thanks, Steve. This is the best CSP video on the internet. I've stopped pulling my hair out now.
Loved the tutorial, it looked like Liam Neeson was doing a voiceover
This is just everything. Period! Great job and 'like' from 'my-self')))
I guess im asking the wrong place but does any of you know of a trick to log back into an instagram account..?
I somehow forgot the password. I appreciate any tricks you can offer me.
Thanks man!! Very helpful videos. Hope you can keep posting. I just started to develop apps with cordova and luckily found your videos.
Thanks! I will continue posting more videos every week. Be sure to go through my Cordova video playlist.
this seemed to work without breaking it, but.... that is not default-src.....
But the information says: Wildcard, allows any URL except data: blob: filesystem: schemes.
wildcard is like having no restrictions and should generally be avoided.
Perfect! Thank you Mr.Griffith.
Finally some clear info
thanks :3
Thanks man. Was stuck here for a long time!
Hmm it breaks my menu button and the menu bar ends out to the left... I am running .PHP on my page, does the Star do anything in PHP that makes it break?
Apparently not the * that is the issue.... hmmmmm
Thank you for explaining the CSP concept. but one thing isn't exactly clear to me.
I'm implementing CSP in .htaccess in WordPress.
Do I need to change any JS files?
cause if I use CSP in .htaccess my site breaks or is half working.
the thing with CSP is haunting me for weeks how to get this working...
No client side changes needed as long as the header is set correctly. You should get errors that target which resources are failing to load in the developer console though.
at the very moment I put the default in it breaks, I just tried to ruin it and it does not break the page :
So apparently something seems to do something on my page that makes my menu break when I use the default feature.
default-src is the fallback.
You should be defining the other types of sources though and have the proper values for each.
image-src
style-src
script-src
connect-src
etc...
For each on provide the domain names where you are willing to accept resources from.
All the possible types of values are listed here - content-security-policy.com/
thanks!
Thanks Steve.
Greate Video on CSP
Thanks man! That helped me a lot
Thanks Steeve and Happy New year 2018 :)
Happy 2018 to you too!
Thanks Steeve from France :)
How do I access and manipulate data and events of a page contained in an Iframe?
There are limitations and restrictions on iFrames for security reasons. developer.mozilla.org/en-US/docs/Web/HTML/Element/
You can find some ways to set the permissions for the through this MDN page.
shoould domains be listed inside ' Domain ' or " Dom " or neither just space seperated
The domains are listed beside each of the categories where they will be applied like style-src. Then just space separated.
Thankss Sirrr
I’ve tried all tags and still have the same csp errors for any fonts, styles and scripts :(
Could it be caused by something else on the server?
Even a small typo can cause an error. If you are getting a CSP error then the problem is in the CSP content based on what you are requesting. Compare what you have in the CSP with what you have in your Network tab in the browser developer tools. Make sure all the domains match exactly.
it happens to me too .. and i already check the typo and its correct .. but still css and scripts remain error
what if i want to show preview of selected image and then want to send to server and at the same time i also want to make it as protected from other attack. so is there any chance to attacker to attack my site if i allow the site to base 64 image. if yes then how should i protect page.
The content security policy is really just telling the browser where it is allowed to load resources from - a specific domain, a specific protocol, the same domain as the html file, etc. If you tell the browser that it can load things from anywhere (or omit the meta tag entirely) then you are not protected at all.
This is really only one part of protecting your webpages. You are telling the browser what servers you trust to give you safe assets.
I have a webpage that I am building & in the Console I am getting CSP warnings even though I have not added the CSP Meta tag yet... Can Anyone help? I have included Jquery but I can't think why it is using CSP without me specifying to do so?? Any ideas
My first question is why are you still using jQuery?
Beyond that I would have to see the page and the exact error before I would be able to give you an answer.
Here is a useful reference for CSP - developers.google.com/web/fundamentals/security/csp/
How can modify CSP in HTTP
No we won't be more specific, everybody are more then welcome to download the whole page! :P No copyright bullshit on my page.
That is not the point of the CSP policy.
It is not to stop you user from downloading anything on your page.
The point is to secure what is already there on the page. You want to prevent malicious scripts from loading assets, files, and scripts that come from URLs that you, as the developer, have not approved.
The CSP lets you use a wildcard for everything but then it is pointless. You have not added any security to the site. You have done nothing to protect your users.
Protecting the USER is the point of this policy.
i want to allow only inpage scripts
and self
content-security-policy.com/
Just set the script-src to what you need based on the outline on this page.
Can you do a tutorial of this in the .htaccess file?
.htaccess files are server-side and Content Security Policy meta tags are client-side security. Two separate things.
@@SteveGriffith-Prof3ssorSt3v3 I know, This is where I'm getting confused. I Asked my hosting company to help me set this up & they have enabled it in the .htaccess file. But you can also have it in the meta tags. My .htaccess file has the following entry Header always set Content-Security-Policy: upgrade-insecure-requests. I set this to Report Only, & then Commented it out using a # but its still acting like its report only, even though my meta tags version is not set to report...
@@SteveGriffith-Prof3ssorSt3v3 Can you have it set both in tags and .htaccess file or do you have to choose one or the other...
@@SteveGriffith-Prof3ssorSt3v3 Surely Server side would be better implementation as it would be more difficult to bypass.
@@RSTao77432 they are for different purposes. CSP is put there by the website developer to protect each page from XSS attacks.
So sick and tired of security bullshit, and trying to circumvent things.
If you think that this is security bullshit that you have to circumvent then you are missing the point entirely.
This is a way for developers to protect their users by making sure that files and assets are not being loaded from unknown or unwanted locations.
@@SteveGriffith-Prof3ssorSt3v3 Yea well.... you say so.... and there is always someone with some kind of a point of, see it is for your sake we have done it.
The only thing it does is obstruct my webpage creating.
Oh but for security reasons, like we don't want any app from the USB when connected to start - we remove the very usable feature. Oh yea, I know the game.