Notices by silverwizard (silverwizard@convenient.email), page 7

@hypolite Ok - actually

I ran
cat test.txt | nc -l -p 2000
with test.txt containing

(Ignore the fake content length)

I then pointed my browser at it, and it saw these response headers:

And it popped up a popup saying "OH NO"

@hypolite So if I send:
Content-Security-Policy: script-src: 'none'

<html>
<script>alert("OH NO");</script>
</html>

With a valid Content-Length and junk

Would that work?

@allenstenhaus My uncle started going bald at 17, and the wisdom was I'd be bald by 20. So I decided to enjoy it while I could.

I am 36 and I've managed to keep it!

@hypolite developer.mozilla.org/en-US/do…

Is there a way to say default-src: none? Or just set no valid sources? not as I recall

@ericmpaq @tieflingdio Wait, Standard D&D Elves is a weird idea.

The High/Grey/Valley/Wood elves of Greyhawk are what I think of as "standard", whereas the Sun and Moon of Faerun are typically slightly off model?

@hypolite @IceWolf CORS allows you to limit cross domain resources. But I can mine bitcoin on your CPU without any cross domain anything. Hell, in theory,I might be able to send spam that way! I can definitely steal your credit card number.

But if I could just add a X-No-Dynamism header that would say "this HTTP session does not send JS or WASM", I could keep everything on my site safe.

I could let users write pretty unfiltered HTML, and most of the tricks would be contained in a frame.