Conversation
Notices
-
Embed this notice
silverwizard (silverwizard@convenient.email)'s status on Tuesday, 22-Oct-2024 05:18:54 JST 
silverwizard
@IceWolf I mean - I'd love to make tools to allow noscript sites. Sites that say "run not JS from me". It'd be so good as a header! -
Embed this notice
silverwizard (silverwizard@convenient.email)'s status on Tuesday, 22-Oct-2024 22:09:37 JST
silverwizard
@hypolite @IceWolf CORS allows you to limit cross domain resources. But I can mine bitcoin on your CPU without any cross domain anything. Hell, in theory,I might be able to send spam that way! I can definitely steal your credit card number.
But if I could just add a X-No-Dynamism header that would say "this HTTP session does not send JS or WASM", I could keep everything on my site safe.
I could let users write pretty unfiltered HTML, and most of the tricks would be contained in a frame.
-
Embed this notice
hypolite (hypolite@friendica.mrpetovan.com)'s status on Tuesday, 22-Oct-2024 22:09:38 JST
hypolite
@silverwizard @IceWolf Isn’t that CORS? You can disable inline JS, limit JS inclusion from known domains, etc… -
Embed this notice
silverwizard (silverwizard@convenient.email)'s status on Tuesday, 22-Oct-2024 22:50:32 JST
silverwizard
@hypolite @IceWolf Does CSP let you reject javascript from the local domain? -
Embed this notice
hypolite (hypolite@friendica.mrpetovan.com)'s status on Tuesday, 22-Oct-2024 22:50:33 JST
hypolite
@silverwizard @IceWolf Sorry, not CORS, I meant CSP. CSP allow you no to run inline JavaScript in your page. -
Embed this notice
silverwizard (silverwizard@convenient.email)'s status on Wednesday, 23-Oct-2024 01:14:00 JST
silverwizard
@hypolite developer.mozilla.org/en-US/do…
Is there a way to say default-src: none? Or just set no valid sources? not as I recall
-
Embed this notice
hypolite (hypolite@friendica.mrpetovan.com)'s status on Wednesday, 23-Oct-2024 01:14:03 JST
hypolite
@silverwizard It should, if it is restrictive enough. What is the specific use case you have in mind? -
Embed this notice
silverwizard (silverwizard@convenient.email)'s status on Wednesday, 23-Oct-2024 02:38:37 JST
silverwizard
@hypolite Does that block local scripts? I thought it didn't? I don't have a spare webserver I feel safe rewriting headers on right now. -
Embed this notice
hypolite (hypolite@friendica.mrpetovan.com)'s status on Wednesday, 23-Oct-2024 02:38:38 JST
hypolite
@silverwizard “none” is a valid value for “script-src”. -
Embed this notice
silverwizard (silverwizard@convenient.email)'s status on Wednesday, 23-Oct-2024 04:28:21 JST
silverwizard
@hypolite So if I send:
Content-Security-Policy: script-src: 'none'<html>
<script>alert("OH NO");</script>
</html>With a valid Content-Length and junk
Would that work?
-
Embed this notice
hypolite (hypolite@friendica.mrpetovan.com)'s status on Wednesday, 23-Oct-2024 04:28:22 JST
hypolite
@silverwizard What do you call "local scripts"? -
Embed this notice
silverwizard (silverwizard@convenient.email)'s status on Wednesday, 23-Oct-2024 04:33:45 JST
silverwizard
@hypolite Ok - actually
I ran
HTTP/1.0 200 OK Date: Tue, 22 Oct 2024 19:27:37 GMT Server: OpenBSD httpd Connection: close Content-Type: text/html Content-Length: 486 Location: localhost Content-Security-Policy: script-src: 'none' <html> <head>Hello</head> <body> <script>alert("OH NO");</script> </body> </html>
cat test.txt | nc -l -p 2000
with test.txt containing(Ignore the fake content length)
I then pointed my browser at it, and it saw these response headers:
HTTP/1 200 OK Date: Tue, 22 Oct 2024 19:27:37 GMT Server: OpenBSD httpd Connection: close Content-Type: text/html Content-Length: 486 Location: localhost Content-Security-Policy: script-src: 'none'And it popped up a popup saying "OH NO"
-
Embed this notice
silverwizard (silverwizard@convenient.email)'s status on Wednesday, 23-Oct-2024 04:37:19 JST
silverwizard
@hypolite Ran it in Chrome and Firefox as well. Also changed the CSP to default-src: 'none' script-src: 'none' and got the same results in LibreWolf. -
Embed this notice
silverwizard (silverwizard@convenient.email)'s status on Wednesday, 23-Oct-2024 04:52:20 JST
silverwizard
@hypolite But it ran! -
Embed this notice
hypolite (hypolite@friendica.mrpetovan.com)'s status on Wednesday, 23-Oct-2024 04:52:22 JST
hypolite
@silverwizard The script won't run unless the unsafe-inline policy is explicitly allowed. -
Embed this notice
silverwizard (silverwizard@convenient.email)'s status on Wednesday, 23-Oct-2024 05:07:06 JST
silverwizard
@hypolite Trying adding self to any of the sources could not cause the script to not execute. -
Embed this notice
hypolite (hypolite@friendica.mrpetovan.com)'s status on Wednesday, 23-Oct-2024 05:07:07 JST
hypolite
@silverwizard How about with self? -
Embed this notice
silverwizard (silverwizard@convenient.email)'s status on Wednesday, 23-Oct-2024 06:10:42 JST
silverwizard
@hypolite I think it's just that browser vendors are unwilling to support them properly, and generally there's a generic trust in the local source. It's also complex as browers are also a mess of JS and local user scripts are a very normal part of browsing these days, since most people are using extensions to their browser. -
Embed this notice
hypolite (hypolite@friendica.mrpetovan.com)'s status on Wednesday, 23-Oct-2024 06:10:43 JST
hypolite
@silverwizard This is disheartening as CSP are supposed to address exactly that. Either it's malfunctioning or is too brittle to be used effectively, and neither are a good look.
-
Embed this notice
All GNU social JP content and data are available under the