First go at a Content Security Policy

 I had a first go at a 'Content Security Policy' (CSP).


I added HTTP headers to the '.htaccess' file on my website:


    Header add Content-Security-Policy "default-src 

    'unsafe-inline' https://bbingo.xyz data:;"


    'Header add Access-Control-Allow-Origin "*"


I really need to put my styles and scripts in separate files. Allowing inline styles and scripts is unsafe, so I have to say 'unsafe-inline'. A workaround would be to put hashes of the scripts in the CSP headers. I say 'data:' as I have some SVGS's encoded inline in a data URL.


Content Security Policies are meant to stop cross-site scripting attacks and work by telling the browser to only use resources from specific locations.


My tips page is attached to my pages on Sourceforge so I need to allow access to the favicon and manifest which are on my website at 'bbingo.xyz'. So I include the second header .


There are more tips at: bbingo.xyz/t

Comments

Post a Comment

Popular posts from this blog

webkit-tap-highlight-color in CSS

 I almost used '-webkit-tap-highlight-color' to remove the blue highlight when you tap an item on a mobile with Chrome.  My item had an odd shape. But it seems you also need to set 'outline: none' on recent versions of Chrome. But this causes an accessibility problem. So I just gave my item a regular shape and kept the blue highlight There are more tips at:  bbingo.xyz/techtips/
Read more

Steve Jobs quotes

 There are some good quotes from Steve Jobs at 'wikiquote.org'. Here are some:     - "I would trade all of my technology for an afternoon with Socrates",     - "Real artists ship",     - "Do you want to spend the rest of your life selling sugared water or do you want a chance to change the world?",     - "It's more fun to be a pirate than to join the Navy",     - "The only problem with Microsoft is they just have no taste",     - "We hired truly great people and gave them the room to do great work",     - "The management philosophy here really is to give people enough rope to hang themselves",     - "You've got to start with the customer experience and work backwards to the technology",     - "Nobody has tried to swallow us since I've been here. I think they are afraid how we would taste.",     - "It looks like it's from another planet. A good planet. A planet with bet
Read more