41 Matching Annotations
  1. Nov 2024
    1. one man in his half a page which I actually acquired in the process of writing a book 15 years ago typ written a typewritten half a page he said what we must do we must treble our deficit treble our deficit we have a deficit which is bad we must make it three times as big and make the capitalists of the rest of the world pay for it which is exactly what happened the United States should increase its deficit and use it to create aggregate demand for the net exports of Germany and Japan and later on China

      for - US foreign policy - National Security Council member suggested - triple the deficit too act as a magnet to draw in experts of other countries - Yanis Varoufakis

  2. Dec 2023
    1. Warning: Do not accept plain user IDs, such as those you can get with the GoogleUser.getId() method, on your backend server. A modified client application can send arbitrary user IDs to your server to impersonate users, so you must instead use verifiable ID tokens to securely get the user IDs of signed-in users on the server side.
  3. Sep 2023
  4. Aug 2023
  5. May 2023
  6. Sep 2021
    1. t's also why it is so annoying to people who actually know what they are doing, when randomly the browser decides to take over a function provided for decades by the OS network stack, and with no notice start bypassing all the infrastructure they set up to their liking (like your hosts file) and funelling all their browsing habits to some shady company (Cloudflare).
  7. Feb 2021
    1. I have a Content Security Policy!Oh, do you now.And did somebody tell you that this would prevent malicious code from sending data off to some dastardly domain? I hate to be the bearer of bad news, but the following four lines of code will glide right through even the strictest content security policy.
  8. Jan 2021
  9. atomiks.github.io atomiks.github.io
    1. The CSS automatically gets injected into <head> with the CDN (tippy-bundle). With CSP enabled, you may need to separately link dist/tippy.css and use dist/tippy.umd.min.js instead.
  10. Nov 2020
    1. If your Svelte components contain <style> tags, by default the compiler will add JavaScript that injects those styles into the page when the component is rendered. That's not ideal, because it adds weight to your JavaScript, prevents styles from being fetched in parallel with your code, and can even cause CSP violations. A better option is to extract the CSS into a separate file. Using the emitCss option as shown below would cause a virtual CSS file to be emitted for each Svelte component. The resulting file is then imported by the component, thus following the standard Webpack compilation flow.
  11. Oct 2020
  12. Jul 2020
  13. Jun 2020
    1. On April 24, the U.S. National Security Agency published an advisory document on the security of popular messaging and video conferencing platforms. The NSA document “provides a snapshot of best practices,” it says, “coordinated with the Department of Homeland Security.” The NSA goes on to say that it “provides simple, actionable, considerations for individual government users—allowing its workforce to operate remotely using personal devices when deemed to be in the best interests of the health and welfare of its workforce and the nation.” Again somewhat awkwardly, the NSA awarded top marks to WhatsApp, Wickr and Signal, the three platforms that are the strongest advocates of end-to-end message encryption. Just to emphasize the point, the first criteria against which NSA marked the various platforms was, you guessed it, end-to-end encryption.
  14. May 2020
    1. However, it's possible to enforce both a whitelist and nonces with 'strict-dynamic' by setting two policies:
    1. sadness.js will not load, however, as document.write() produces script elements which are "parser-inserted".
  15. developer.chrome.com developer.chrome.com
    1. If a user clicks on that button, the onclick script will not execute. This is because the script did not immediately execute and code not interpreted until the click event occurs is not considered part of the content script, so the CSP of the page (not of the extension) restricts its behavior. And since that CSP does not specify unsafe-inline, the inline event handler is blocked.
  16. Apr 2020
    1. Q. I would like a copy of my data from a breach, can you please send it to me? A. No, I cannot Q. I have a breach I would like to give you in exchange for “your” breach, can you please send it to me? A. No, I cannot Q. I’m a security researcher who wants to do some analysis on the breach, can you please send it to me? A. No, I cannot Q. I’m making a searchable database of breaches; can you please send it to me? A. No, I cannot Q. I have another reason for wanting the data not already covered above, can you please send it to me? A. No, I cannot
    1. The fact is that it doesn’t matter if you can see the threat or not, and it doesn’t matter if the flaw ever leads to a vulnerability. You just always follow the core rules and everything else seems to fall into place.
  17. Nov 2019
    1. Why can't I keep using script whitelists in CSP? The traditional approach of whitelisting domains from which scripts can be loaded is based on the assumption that all responses coming from a trusted domain are safe, and can be executed as scripts. However, this assumption does not hold for modern applications; some common, benign patterns such exposing JSONP interfaces and hosting copies of the AngularJS library allow attackers to escape the confines of CSP.
    1. However, a broader problem is that your script-src whitelist includes domains that host Javascript which can be used by an attacker who finds a markup injection bug in your application to bypass your CSP. For example, https://cdnjs.cloudflare.com hosts Angular (https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.7.2/angular.min.js) which can be used by an attacker to convert an HTML injection into arbitrary script execution (here is a paper about this).
  18. Sep 2019
  19. Feb 2016
    1. In Firefox, one can disable Content Security Policy by changing security.csp.enable to false in about:config

      Websites using Content Security Policy can be annoted with hypothes.is in Firefox by switching (in about:config ) security.csp.enable to false