First go at a Content Security Policy

 I had a first go at a 'Content Security Policy' (CSP).


I added HTTP headers to the '.htaccess' file on my website:


    Header add Content-Security-Policy "default-src 

    'unsafe-inline' https://bbingo.xyz data:;"


    'Header add Access-Control-Allow-Origin "*"


I really need to put my styles and scripts in separate files. Allowing inline styles and scripts is unsafe, so I have to say 'unsafe-inline'. A workaround would be to put hashes of the scripts in the CSP headers. I say 'data:' as I have some SVGS's encoded inline in a data URL.


Content Security Policies are meant to stop cross-site scripting attacks and work by telling the browser to only use resources from specific locations.


My tips page is attached to my pages on Sourceforge so I need to allow access to the favicon and manifest which are on my website at 'bbingo.xyz'. So I include the second header .


There are more tips at: bbingo.xyz/t

Comments

Post a Comment

Popular posts from this blog

Steve Jobs quotes

 There are some good quotes from Steve Jobs at 'wikiquote.org'. Here are some:     - "I would trade all of my technology for an afternoon with Socrates",     - "Real artists ship",     - "Do you want to spend the rest of your life selling sugared water or do you want a chance to change the world?",     - "It's more fun to be a pirate than to join the Navy",     - "The only problem with Microsoft is they just have no taste",     - "We hired truly great people and gave them the room to do great work",     - "The management philosophy here really is to give people enough rope to hang themselves",     - "You've got to start with the customer experience and work backwards to the technology",     - "Nobody has tried to swallow us since I've been here. I think they are afraid how we would taste.",     - "It looks like it's from another planet. A good planet. A planet with bet...
Read more

Dark mode using 'invert' does not work on Firefox

 Implementing 'dark mode' with 'invert' on the 'html' tag does not seem to work on the old Firefox used in my local libraries. This version of Firefox does not invert the background. This Firefox just inverts the elements you add. The Firefox developers feel they are following the specification. Using 'invert' when there is an 'overlay' scrollbar on Chrome sometimes makes the scrollbar disappear. I am using the last version of Chrome on Windows7. I understand 'overlay' scrollbars have been removed from the latest versions of Chrome. Of course, a dark scrollbar on a black background does not make sense. So I would need to use 'color-scheme' to change the color of the scrollbar. But 'invert' does not work well with 'color-scheme'. I could not set the colour of this 'overlay' scrollbar with properties like '-webkit-scrollbar-thumb'.  So I am going to have to implement 'dark mode' by setting the...
Read more

Free quotes

 'wikiquote.org' has some good quotes with a Creative Commons license. 'brainyquote.com' has better quotes but they are only free to use for personal use. There are more tips at:  bbingo.xyz/t
Read more