Tag: security

Is there a way to declare in a web page that all javascript http requests must be only to same host?

I have a small site that shows ads from different ad networks. Sometimes these ad networks serve ads that contain js code that makes HTTP requests to external servers and I found that sometimes those …

FileReader upload safety

Say I have without any forms, and obtain an image selected by this input via File’s Blob javascript API: input.addEventListener(‘change’, function(){ var reader = …

Electron, contextIsolation and contextBridge

I recently had to revamp an old Electron app. I found out that it had contextIsolation set to false, so I went ahead and set it to true (and btw set nodeIntegration to false). As expected, it broke …

PayPal JavaScript SDK – understand security problems on the client-side

I´ve recently implemented the PayPal JavaScript SDK in my Angular 11 project (implementation reference). It seems to work flawlessly, however, I started to think that it might be possible to modify …

This document requires ‘TrustedScriptURL’ assignment

After adding require-trusted-types-for ‘script’; in my Content-Security-Policy header, which introduced from Chrome 83 Beta to help lock down DOM XSS injection sinks, when I open my website, it …

Form body in a POST ending up as URL params?

Our stack: Vue.js frontend using vuetify component lib custom python middleware rest api using flask + tornado matomo running externally and connected to the frontend using vues plugin system.(…

How to make Google Analytics respond to “Do Not Track”

I am planning to put google analytics tracking code on my website, but I don’t know how to make it respond to those who send the “Do not track” signal. How can I make GA tracking code track those who …

vuex empty state on logout

Quick story of my problem: Absolutely no data is stored in my vuex state when the page loads If the user is logged in(or has info stored in window.localStorage and therefore gets auto logged in) my …

CSRF protection with CORS Origin header vs. CSRF token

This question is about protecting against Cross Site Request Forgery attacks only. It is specifically about: Is protection via the Origin header (CORS) as good as the protection via a CSRF token? …

What makes an input vulnerable to XSS?

I’ve been reading about XSS and I made a simple form with a text and submit input, but when I execute on it, nothing happens, the server gets that string and that’…