Content-Security-Policy & iframe src

SGksDQoNClNvcnJ5IGlmIHRoaXMgaXMgdGhlIHdyb25nIHBsYWNlIHRvIGFzaywgZmVlbCBmcmVl
IHRvIHJlZGlyZWN0IG1lIHRvIGEgbW9yZSBhcHByb3ByaWF0ZSBsaXN0Lg0KDQpXZeKAmXJlIGFw
cGx5aW5nIENvbnRlbnQtU2VjdXJpdHktUG9saWN5IHRvIG91ciBzaXRlIGFuZCBGaXJlZm94IGlz
IGFwcGx5aW5nIHRoZSBDb250ZW50LVNlY3VyaXR5LVBvbGljeSBvZiB0aGUgcGFnZSB0byB0aGUg
Y29udGVudHMgYW4gaWZyYW1lIGxvYWRlZCB3aXRoIHNyYyBhdHRyaWJ1dGUuDQoNCkkgc2VlIHRo
YXQgdGhlIENTUDIgc3BlYyBpbmRpY2F0ZXMgdGhhdCBpZnJhbWUgc3JjZG9jIG11c3QgYmUgcHJv
Y2Vzc2VkIHVzaW5nIHRoZSBkb2N1bWVudOKAmXMgQ1NQIGJ1dCBjb3VsZG7igJl0IGZpbmQgYW55
dGhpbmcgYWJvdXQgaWZyYW1lcyBsb2FkZWQgZnJvbSBleHRlcm5hbCBzaXRlcy4NCg0KT2YgY291
cnNlIENocm9tZSBoYXBwaWx5IGlnbm9yZXMgdGhlIGRvY3VtZW504oCZcyBDU1Agd2hlbiBsb2Fk
aW5nIHRoZSBpZnJhbWUgY29udGVudHMuICBJIHdhcyBqdXN0IHdvbmRlcmluZyBpZiB0aGlzIHdh
cyBleHBlY3RlZCBiZWhhdmlvciwgdGhlIGludGVycHJldGF0aW9uIG9mIGFuIHNpbGVudCBzcGVj
LCBhbiBvdmVyc2lnaHQsIGJ1Zz8NCg0KTWFueSB0aGFua3M=
0
Wilks
2/13/2015 8:55:56 PM
mozilla.dev.security 649 articles. 0 followers. Post Follow

0 Replies
764 Views

Similar Articles

[PageSpeed] 52
Get it on Google Play
Get it on Apple App Store

Reply:

Similar Artilces:

Why is it an error to have both X-Content-Security-Policy and X-Content-Security-Policy-Report-Only ?
https://wiki.mozilla.org/Security/CSP/Spec#Report-Only_mode If both a X-Content-Security-Policy-Report-Only header and a X-Content-Security-Policy header are present in the same response, a warning is posted to the user agent's error console and any policy specified in X-Content-Security-Policy-Report-Only is ignored. The policy specified in X-Content-Security-Policy headers is enforced. Why is this? This seems like an unnecessary burden which prevents groups from tightening their security policies over time. For example, here at Google, I'm interested in helping resol...

How secure is secure?
Thanks to this group and all the high tech individuals who frequent it I have learned how to protect my PC from the inside out. But what about security risks to my info 'before' it gets to my computer? Like my mail box on the server. Could someone hack into that and thumb through my mail? If so, how would I ever know? (The short story) We have a rogue employee at my work who one day decided to run the web site, she got in tight with the ISP, got tools to set and delete passwords on a protected directory on the server. Who knows if she has telnet access to other things, li...

when is secure, secure?
Lo everyone, I wrote a custom authentication handler for PureFTPD, using a combination of authentication methods, for about 4 different types of users. So far, from testing it, it does look to work properly, and does it's job pretty well (and fast). I use #!/usr/bin/perl -W as well as use Strict, and use warnings, and the code returns no errors or warnings when run. I am right to presume that this basically only really tells me the my syntax and structure of the application is right? What's a good way to see whether it is actually SECURE... There is a couple of lines of...

security too secure
Name: joe Product: Firefox Summary: security too secure Comments: The security thing won't let me in this sight no matter how I accept, confirm, get certificate, etc. https://www.vtext.com/customer_site/jsp/messaging_lo.jsp Browser Details: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-GB; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4 From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...

Mixed Secure and Non Secured Content
I didn't get a feel for how safe SSL pages are that contain both secure and non secured content. If a page contains both is the secured content (say a form or password entry) safe? John John Pearce wrote: >I didn't get a feel for how safe SSL pages are that contain both secure >and non secured content. If a page contains both is the secured content >(say a form or password entry) safe? Depends on what's secure and what isn't. For example, if it's just graphics that are insecure, you're fine. It's the code itself (HTML plus possibly...

Content Security Policy updates
Sid has updated the Content Security Policy spec to address some of the issues discussed here. https://wiki.mozilla.org/Security/CSP/Spec You can see the issues we've been tracking and the resolutions at the Talk page: https://wiki.mozilla.org/Talk:Security/CSP/Spec There are still a few open issues. Daniel Veditz wrote on 7/23/2009 10:32 AM: > Sid has updated the Content Security Policy spec to address some of the > issues discussed here. https://wiki.mozilla.org/Security/CSP/Spec Under "Policy Refinements with a Multiply-Specified Header" there is a misspe...

How secure is secure enough?
July 28, 2008 (Computerworld) This story originally appeared in Computerworld's print edition. If there is a Holy Grail in the information security industry, it surely is the answer to the question, "How secure is secure enough?" It's a question that many security managers have either avoided answering altogether or tried to quickly sidestep by throwing a fistful of mainly pointless operational metrics at anyone who cared to ask. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=321921&intsrc=hm_list -- "Never d...

Lowering security for content in an iframe
Hi, I have a situation where I have an XUL document, loaded from chrome, containing an iframe, into which I manually insert a document which might be loaded from one or more untrusted locations. (That is, the iframe is initially declared without a src, and I then fetch content using XMLHttpRequest, and use document.write to set up the contents of the iframe.) After doing this the content seems to have chrome permissions, ie it is trusted and can perform potentially malicious actions. Is there a way of lowering the security on the iframe content? Matthew Wilson matthew@m...

How secure is AuthenticationTypes.Secure?
I understand that AuthenticationTypes.Secure requests secure authentication using Kerberos or NTLM (??). However, here is a scenario I am trying to understand. Let us say that I am having a regular ASP.NET site - with SSL certificates not installed on the web server. The login sends the request out to an AD server which also does not have certificates installed. However, I have set Secure flag to AuthenticationTypes.Secure. When the username and password data gets transmitted between the application and the LDAP server, how secure are the password and username info? In other words is this in...

Content Security Policy feedback
Giorgio Maone mentioned CSP on the OWASP Intrinsic Security list[1] and I wanted to provide some feedback. (1) Something that appears to be missing from the spec is a way for the browser to advertise to the server that it will support Content Security Policy, possibly with the CSP version. By having the browser send an additional header, it allows the server to make decisions about the browser, such as limiting access to certain resources, denying access, redirecting to an alternate site that tries to mitigate using other techniques, etc. Without the browser advertising if it will...

form security against security
i have a form in my website which is to be filled by user and that form stores in database(sql server 2005). but someone told me that anyone can run script  in textboxes in that form and can damage database, so how to avoid such security lack.  it is common practice to use parameterized sql statements or stored procs to insure you are protected from sql injections attacks. if you concatenate user input directly into a sql statement, then you are at risk.Mike Banavige~~~~~~~~~~~~Need a site code sample in a different language? Try converting it with: http://converte...

Password secure...is it secure?
Yes I just got this baby and I LOVE it! Its great. I have stored all my passwords inside of it (and yes made a few backups from them in secure locations) How secure is this program really? It uses blowfish to encrypt the database but how strong blowfish? 128bits? 256? 448? Anything else I should think about it? I have putted it and its databases inside PGPdisk just to play it safe...but then again Im a paranoid. :) -- Markus Jansson ************************************ My privacy related homepage and PGP keys: http://www.geocities.com/jansson_markus/ ********...

Secure connections: how secure are they?
*QUOTE* ......... both useful and malicious information can be transmitted via network connections. Standard solutions protect computers against threats present in standard network connections, but aren't able to counter threats present in secure connections. Verifying the contents of a secure connection is impossible by virtue of its secure nature, as demonstrated by the different types of protection listed above. As a result, malicious data within secure channels can cause a significant amount of damage, and sometimes more than if it were to be transmitted via a standard, non-s...

Security
This is a multi-part message in MIME format. --------------080100010401000103080002 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit I'm a Mac user 10.4.8 of Thunderbird 1.5.0.7 & am wondering how "Enabling FIPS" will improve my security? I can't seem to find any explanation of FIPS under Thunderbird help. -- Have a good day R Schwager --------------080100010401000103080002 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Tr...

Web resources about - Content-Security-Policy & iframe src - mozilla.dev.security

Content Security Policy - Wikipedia, the free encyclopedia
X-Content-Security-Policy — experimental header introduced in Gecko 2 based browsers (Firefox 4 to Firefox 22, Thunderbird 3.3, SeaMonkey 2.1). ...

Google increases security for desktop Gmail with Content Security Policy support
Google today revealed a new feature for Gmail that should help to increase inbox security. Newly added support for Content Security Policy (CSP) ...

Firefox 33 Fixes Flaws, Improves Content Security Policy
Mozilla's new open-source browser release includes patches for eight security advisories. Three are rated critical.

Gmail now supports Content Security Policy to reject malicious extensions
With Gmail being so universally popular, it’s no surprise there are some malicious pieces of software that try to interfere with the platform. ...

Gmail gets Content Security Policy support to stop extensions from loading unsafe code
Emil Protalinski / VentureBeat : Gmail gets Content Security Policy support to stop extensions from loading unsafe code — Google today added ...

Gmail now supports Content Security Policy to reject malicious extensions
... pieces of software that try to interfere with the platform. To help prevent this from happening, Gmail is now adding support for Content Security ...

Gmail gets Content Security Policy support to stop extensions from loading unsafe code
Google today added support for Content Security Policy ( CSP ) to Gmail. The security feature protects users by stopping extensions from loading ...

Tackle Cross Site Scripting using Content Security Policy
Lessen the risk of falling victim to one of the biggest security threats on the web by using Content Security Policy headers on your website. ...

Resources last updated: 1/17/2016 4:26:26 AM