+ <div class="entry">
+ <div class="title"><a href="http://people.skolelinux.org/pere/blog/Why_is_your_site_not_using_Content_Security_Policy___CSP_.html">Why is your site not using Content Security Policy / CSP?</a></div>
+ <div class="date"> 9th December 2018</div>
+ <div class="body"><p>Yesterday, I had the pleasure of watching on Frikanalen the OWASP
+talk by Scott Helme titled
+"<a href="https://frikanalen.no/video/626080/">What We’ve Learned From
+Billions of Security Reports</a>". I had not heard of the
+<a href="https://en.wikipedia.org/wiki/Content_Security_Policy">Content
+Security Policy standard</a> nor its ability to "call home" when a
+browser detect a policy breach (I do not follow web page design
+development much these days), and found the talk very illuminating.</p>
+
+<p>The mechanism allow a web site owner to use HTTP headers to tell
+visitors web browser which sources (internal and external) are allowed to
+be used on the web site. Thus it become possible to enforce a "only
+local content" policy despite web designers urge to fetch programs
+from random sites on the Internet, like the one
+<a href="https://securityaffairs.co/wordpress/68966/hacking/browsealoud-plugin-hack.html">enabling
+the attack</a> reported by Scott Helme earlier this year.</p>
+
+<p>Using CSP seem like an obvious thing for a site admin to implement
+to take some control over the information leak that occur when
+external sources are used to render web pages, it is a mystery more
+sites are not using CSP? It is being
+<a href="https://www.w3.org/TR/CSP/">standardized under W3C</a> these
+days, and is supposed by most web browsers</p>
+
+<p>I managed to find <a href="https://github.com/mozilla/django-csp">a
+Django middleware for implementing CSP</a> and was happy to discover
+it was already in Debian. I plan to use it to add CSP support to the
+Frikanalen web site soon.</p>
+
+<p>As usual, if you use Bitcoin and want to show your support of my
+activities, please send Bitcoin donations to my address
+<b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p>
+</div>
+ <div class="tags">
+
+
+ Tags: <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/standard">standard</a>, <a href="http://people.skolelinux.org/pere/blog/tags/web">web</a>.
+
+
+ </div>
+ </div>
+ <div class="padding"></div>
+
<div class="entry">
<div class="title"><a href="http://people.skolelinux.org/pere/blog/New_and_improved_Frikanalen_Kodi_addon_version_0_0_3.html">New and improved Frikanalen Kodi addon version 0.0.3</a></div>
<div class="date"> 8th November 2018</div>
</div>
<div class="padding"></div>
- <div class="entry">
- <div class="title"><a href="http://people.skolelinux.org/pere/blog/Using_the_Kodi_API_to_play_Youtube_videos.html">Using the Kodi API to play Youtube videos</a></div>
- <div class="date"> 2nd September 2018</div>
- <div class="body"><p>I continue to explore my Kodi installation, and today I wanted to
-tell it to play a youtube URL I received in a chat, without having to
-insert search terms using the on-screen keyboard. After searching the
-web for API access to the Youtube plugin and testing a bit, I managed
-to find a recipe that worked. If you got a kodi instance with its API
-available from http://kodihost/jsonrpc, you can try the following to
-have check out a nice cover band.</p>
-
-<p><blockquote><pre>curl --silent --header 'Content-Type: application/json' \
- --data-binary '{ "id": 1, "jsonrpc": "2.0", "method": "Player.Open",
- "params": {"item": { "file":
- "plugin://plugin.video.youtube/play/?video_id=LuRGVM9O0qg" } } }' \
- http://projector.local/jsonrpc</pre></blockquote></p>
-
-<p>I've extended kodi-stream program to take a video source as its
-first argument. It can now handle direct video links, youtube links
-and 'desktop' to stream my desktop to Kodi. It is almost like a
-Chromecast. :)</p>
-
-<p>As usual, if you use Bitcoin and want to show your support of my
-activities, please send Bitcoin donations to my address
-<b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p>
-</div>
- <div class="tags">
-
-
- Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian">debian</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/kodi">kodi</a>, <a href="http://people.skolelinux.org/pere/blog/tags/video">video</a>.
-
-
- </div>
- </div>
- <div class="padding"></div>
-
<p style="text-align: right;"><a href="index.rss"><img src="http://people.skolelinux.org/pere/blog/xml.gif" alt="RSS feed" width="36" height="14" /></a></p>
<div id="sidebar">
<li><a href="http://people.skolelinux.org/pere/blog/archive/2018/11/">November (2)</a></li>
+<li><a href="http://people.skolelinux.org/pere/blog/archive/2018/12/">December (1)</a></li>
+
</ul></li>
<li>2017
<li><a href="http://people.skolelinux.org/pere/blog/tags/drivstoffpriser">drivstoffpriser (4)</a></li>
- <li><a href="http://people.skolelinux.org/pere/blog/tags/english">english (392)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/english">english (393)</a></li>
<li><a href="http://people.skolelinux.org/pere/blog/tags/fiksgatami">fiksgatami (23)</a></li>
<li><a href="http://people.skolelinux.org/pere/blog/tags/skepsis">skepsis (5)</a></li>
- <li><a href="http://people.skolelinux.org/pere/blog/tags/standard">standard (57)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/standard">standard (58)</a></li>
<li><a href="http://people.skolelinux.org/pere/blog/tags/stavekontroll">stavekontroll (6)</a></li>
<li><a href="http://people.skolelinux.org/pere/blog/tags/vitenskap">vitenskap (4)</a></li>
- <li><a href="http://people.skolelinux.org/pere/blog/tags/web">web (41)</a></li>
+ <li><a href="http://people.skolelinux.org/pere/blog/tags/web">web (42)</a></li>
</ul>
projects / homepage.git / blobdiff