mttaggart, 24 days ago Your periodic reminder that a Content-Security-Policy that includes cdn.jsdelivr.net is not safe. Any GitHub repo can be loaded via that CDN, so if you find it on a test, prove the point. Here, have a payload. #WebApp #InfoSec #Cybersecurity
Your periodic reminder that a Content-Security-Policy that includes cdn.jsdelivr.net is not safe. Any GitHub repo can be loaded via that CDN, so if you find it on a test, prove the point.
cdn.jsdelivr.net
Here, have a payload.
#WebApp #InfoSec #Cybersecurity
hrbrmstr, 23 days ago @mttaggart CSP's were adorable when they rolled out and are that much more adorable in the age of "cloudflare all the things”.
@mttaggart CSP's were adorable when they rolled out and are that much more adorable in the age of "cloudflare all the things”.
mttaggart, 23 days ago @hrbrmstr I guess? There's plenty of the internet that isn't, and CSPs are still the best defense against XSS.
@hrbrmstr I guess? There's plenty of the internet that isn't, and CSPs are still the best defense against XSS.
hrbrmstr, 23 days ago @mttaggart except nobody that needs to uses them.
@mttaggart except nobody that needs to uses them.
Add comment