csp - Dave's Blog

Search

Tweet from David Risney

2016 Aug 31, 6:09
CSP about:blank frame inherits CSP from parent. about:blank child window doesn't despite having same origin http://output.jsbin.com/zesiwituyu/ 
PermalinkComments

Tweet from David Risney

2016 Aug 31, 6:06
Would be nice if CSP could help. CSP can block frame navigating parent but not window navigating opener https://twitter.com/bendhalpern/status/771021574426267648 
PermalinkComments

Tweet from David_Risney

2016 Feb 20, 1:40
Preview of Obama's post presidency standup tour @CSPANVL http://www.c-span.org/video/?c4558279/obama-ribs-republicans-candidates …
PermalinkComments

Let's Encrypt NearlyFreeSpeech.net Setup

2016 Feb 4, 2:48

2016-Nov-5: Updated post on using Let's Encrypt with NearlyFreeSpeech.net

I use NearlyFreeSpeech.net for my webhosting for my personal website and I've just finished setting up TLS via Let's Encrypt. The process was slightly more complicated than what you'd like from Let's Encrypt. So for those interested in doing the same on NearlyFreeSpeech.net, I've taken the following notes.

The standard Let's Encrypt client requires su/sudo access which is not available on NearlyFreeSpeech.net's servers. Additionally NFSN's webserver doesn't have any Let's Encrypt plugins installed. So I used the Let's Encrypt Without Sudo client. I followed the instructions listed on the tool's page with the addition of providing the "--file-based" parameter to sign_csr.py.

One thing the script doesn't produce is the chain file. But this topic "Let's Encrypt - Quick HOWTO for NSFN" covers how to obtain that:

curl -o domain.chn https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem

Now that you have all the required files, on your NFSN server make the directory /home/protected/ssl and copy your files into it. This is described in the NFSN topic provide certificates to NFSN. After copying the files and setting their permissions as described in the previous link you submit an assistance request. For me it was only 15 minutes later that everything was setup.

After enabling HTTPS I wanted to have all HTTP requests redirect to HTTPS. The normal Apache documentation on how to do this doesn't work on NFSN servers. Instead the NFSN FAQ describes it in "redirect http to https and HSTS". You use the X-Forwarded-Proto instead of the HTTPS variable because of how NFSN's virtual hosting is setup.

RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]

Turning on HSTS is as simple as adding the HSTS HTTP header. However, the description in the above link didn't work because my site's NFSN realm isn't on the latest Apache yet. Instead I added the following to my .htaccess. After I'm comfortable with everything working well for a few days I'll start turning up the max-age to the recommended minimum value of 180 days.

Header set Strict-Transport-Security "max-age=3600;" 

Finally, to turn on CSP I started up Fiddler with my CSP Fiddler extension. It allows me to determine the most restrictive CSP rules I could apply and still have all resources on my page load. From there I found and removed inline script and some content loaded via http and otherwise continued tweaking my site and CSP rules.

After I was done I checked out my site on SSL Lab's SSL Test to see what I might have done wrong or needed improving. The first time I went through these steps I hadn't included the chain file which the SSL Test told me about. I was able to add that file to the same files I had already previously generated from the Let's Encrypt client and do another NFSN assistance request and 15 minutes later the SSL Test had upgraded me from 'B' to 'A'.

PermalinkCommentscertificate csp hsts https lets-encrypt nearlyfreespeech.net

Tweet from David_Risney

2016 Jan 3, 10:28
CSP report gripe: no distinction between violation of unsafe-eval and unsafe-inline. I use 2 hdrs w diff rules & report URIs to distinguish.
PermalinkComments

Tweet from David_Risney

2015 Aug 3, 12:18
I watched ep1 of Murder in the First last night and Taye Diggs followed me this morning. Coincidence? Or maybe he's into my CSP extension.
PermalinkComments

Retweet of troyhunt

2015 Aug 2, 10:14
Just gave the CSP Rule Collector Fiddler extension from @David_Risney a run. This is excellent, highly recommended! https://twitter.com/ericlaw/status/627572451015168000 …
PermalinkComments

David_Risney: Just put up CSP Fiddler extension to help figure out minimum required CSP rules for web pages.

2015 Jan 24, 5:32
David Risney @David_Risney :
Just put up CSP Fiddler extension https://github.com/david-risney/CSP-Fiddler-Extension … to help figure out minimum required CSP rules for web pages.
PermalinkComments

Detect login with CSP - When Security Generates Insecurity

2014 Jul 8, 1:13

An interesting way to use the report-uri feature of CSP to detect if a user is logged into Google, Facebook etc.

PermalinkCommentstechnical security csp web

URI Addressable Text Adventure Games

2008 Mar 2, 9:18

This post is about creating a server side z-code interpreter that represents game progress in the URI. Try it with the game Lost Pig.

I enjoy working on URIs and have the mug to prove it. Along those lines I've combined thoughts on URIs with interactive fiction. I have a limited amount of experience with Inform which generates Z-Code so I'll focus on pieces written in that. Of course we can already have URIs identifying the Z-Code files themselves, but I want URIs to identify my place in a piece of interactive fiction. The proper way to do this would be to give Z-Code its own mimetype and associate with that mimetype the format of a fragment that would contain the save state of user's interactive fiction session. A user would install a browser plugin that would generate URIs containing the appropriate fragment while you play the IF piece and be able to load URIs identifying Z-Code files and load the save state that appears in the fragment.

But all of that would be a lot of work, so I made a server side version that approximates this. On the Web Frotz Interpreter page, enter the URI of a Z-Code file to start a game. Enter your commands into the input text box at the bottom and you get a new URI after every command. For example, here's the beginning of Zork. I'm running a slightly modified version of the Unix version of Frotz. Baf's Guide to the IF Archive has lists of IF games to try out.

There are two issues with this thought, the first being the security issues with running arbitrary z-code and the second is the practical URI length limit of about 2K in IE. From the Z-Code standard and the Frotz source it looks like 'save' and 'restore' are the only commands that could do anything interesting outside of the Z-Code virtual machine. As for the length-limit on URIs I'm not sure that much can be done about that. I'm using a base64 encoded copy of the compressed input stream in the URI now. Switching to the actual save state might be smaller after enough user input.

PermalinkCommentszork frotz interactive-fiction zcode if technical uri fragment

Kitten Captcha (MSR Asirra Project)

2007 Mar 16, 3:41This is a Microsoft research project that uses kittens to prove your humanity. This is very similar to something I've linked previously: http://www.thepcspy.com/articles/security/the_cutest_humantest_kittenauthPermalinkCommentscaptcha security spam microsoft research development tool free web

C-SPAN to make most video of Congress freely available online

2007 Mar 8, 7:50PermalinkCommentscongress politics copyright video cspan
Older Entries Creative Commons License Some rights reserved.