Troy Hunt

FEBRUARY 1, 2018

I'm a fan (which is why I also recently joined Report URI ), and if you're running a website, you should be too. However, you can add a CSP via meta tag and indeed that's what I originally did with the upgrade-insecure-requests implementation I mentioned earlier when I fixed the Disqus issue.

IT 47

IT Security Libraries Analytics 47

Security Affairs

DECEMBER 3, 2019

An attacker could embed an iframe tag into a website with the “src” attribute set to the crafted link, then trick the victim into visiting it. Below the vulnerability timeline: 29/10/19 – The vulnerability found 30/10/19 – Vulnerability reported to Microsoft 31/10/19 – Report was closed by Microsoft – ?!? “While OAuth 2.0

Authentication 79

Authentication Access Encryption Passwords 79

Troy Hunt

APRIL 19, 2018

Me: Ok, but be conscious that means they can never change those scripts without you first modifying the integrity attribute on your script tags and you need time to push that out so as not to break the site. Let me paraphrase: Bank: We're thinking of using SRI to protect malicious modification of scripts we load in from a partner.

Security 47

Security IT 47

Troy Hunt

SEPTEMBER 26, 2018

No HTML tags. 2,663 requests (one of which was to Report URI , thank you very much!) Somewhere in the middle is a responsible approach, for example the sponsorship banner you see at the top of this blog. Companies I choose to partner with get to appear there and they get themselves 140 characters and a link. That is all.

Analytics 109

Analytics Risk IT Security 109

Troy Hunt

NOVEMBER 14, 2018

A nice, slick, clean set of violation reports from the content security policy (CSP) I run on Have I Been Pwned (HIBP). Logging on to Report URI and being greeted with something like this: This blog post is about how add-ons and extensions in browsers cause CSP violations like the ones above and how they should be dealt with.

Security 85

Security IT Libraries Access 85

Troy Hunt

NOVEMBER 14, 2017

That's pretty much XSS 101 - just get an alert box to fire - and reflecting a script tag is one of the most fundamental techniques attackers use to run their script on your website. My involvement has really ramped up in recent times though, especially with my announcement a couple of weeks ago about joining Report URI.

Analytics 87

Analytics Libraries IT Risk 87

Troy Hunt

JUNE 8, 2018

SCAwards2018 pic.twitter.com/Gv7hhzT9T2 — Report URI (@reporturi) June 5, 2018. Today, we're supporting hundreds of millions of reports every single day - many billions a month - and increasingly seeing some pretty big names send their CSP, HPKP, XSS, Expect-CT and Expect-Staple reports to us.

Marketing 49

Marketing Security IT 49