]> pere.pagekite.me Git - homepage.git/blobdiff - blog/index.rss
projects / homepage.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Generated.
[homepage.git] / blog / index.rss
diff --git a/blog/index.rss b/blog/index.rss
index b86518e066f3e4147c022d55f31f263b39f296f8..8ddff65263b74520a52abed2b7ed376a8331da4b 100644 (file)
--- a/blog/index.rss
+++ b/blog/index.rss
@@ -6,6 +6,46 @@
                 <link>http://people.skolelinux.org/pere/blog/</link>
                 <atom:link href="http://people.skolelinux.org/pere/blog/index.rss" rel="self" type="application/rss+xml" />
        
+       <item>
+               <title>Why is your site not using Content Security Policy / CSP?</title>
+               <link>http://people.skolelinux.org/pere/blog/Why_is_your_site_not_using_Content_Security_Policy___CSP_.html</link>
+               <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Why_is_your_site_not_using_Content_Security_Policy___CSP_.html</guid>
+                <pubDate>Sun, 9 Dec 2018 15:00:00 +0100</pubDate>
+               <description>&lt;p&gt;Yesterday, I had the pleasure of watching on Frikanalen the OWASP
+talk by Scott Helme titled
+&quot;&lt;a href=&quot;https://frikanalen.no/video/626080/&quot;&gt;What We’ve Learned From
+Billions of Security Reports&lt;/a&gt;&quot;.  I had not heard of the
+&lt;a href=&quot;https://en.wikipedia.org/wiki/Content_Security_Policy&quot;&gt;Content
+Security Policy standard&lt;/a&gt; nor its ability to &quot;call home&quot; when a
+browser detect a policy breach (I do not follow web page design
+development much these days), and found the talk very illuminating.&lt;/p&gt;
+
+&lt;p&gt;The mechanism allow a web site owner to use HTTP headers to tell
+visitors web browser which sources (internal and external) are allowed to
+be used on the web site.  Thus it become possible to enforce a &quot;only
+local content&quot; policy despite web designers urge to fetch programs
+from random sites on the Internet, like the one
+&lt;a href=&quot;https://securityaffairs.co/wordpress/68966/hacking/browsealoud-plugin-hack.html&quot;&gt;enabling
+the attack&lt;/a&gt; reported by Scott Helme earlier this year.&lt;/p&gt;
+
+&lt;p&gt;Using CSP seem like an obvious thing for a site admin to implement
+to take some control over the information leak that occur when
+external sources are used to render web pages, it is a mystery more
+sites are not using CSP?  It is being
+&lt;a href=&quot;https://www.w3.org/TR/CSP/&quot;&gt;standardized under W3C&lt;/a&gt; these
+days, and is supposed by most web browsers&lt;/p&gt;
+
+&lt;p&gt;I managed to find &lt;a href=&quot;https://github.com/mozilla/django-csp&quot;&gt;a
+Django middleware for implementing CSP&lt;/a&gt; and was happy to discover
+it was already in Debian.  I plan to use it to add CSP support to the
+Frikanalen web site soon.&lt;/p&gt;
+
+&lt;p&gt;As usual, if you use Bitcoin and want to show your support of my
+activities, please send Bitcoin donations to my address
+&lt;b&gt;&lt;a href=&quot;bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&quot;&gt;15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&lt;/a&gt;&lt;/b&gt;.&lt;/p&gt;
+</description>
+       </item>
+       
        <item>
                <title>New and improved Frikanalen Kodi addon version 0.0.3</title>
                <link>http://people.skolelinux.org/pere/blog/New_and_improved_Frikanalen_Kodi_addon_version_0_0_3.html</link>
@@ -656,36 +696,6 @@ up your disk if you are not careful.  Have fun. :)&lt;/p&gt;
 &lt;p&gt;I would love to get help maintaining this package.  Get in touch if
 you are interested.&lt;/p&gt;
 
-&lt;p&gt;As usual, if you use Bitcoin and want to show your support of my
-activities, please send Bitcoin donations to my address
-&lt;b&gt;&lt;a href=&quot;bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&quot;&gt;15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&lt;/a&gt;&lt;/b&gt;.&lt;/p&gt;
-</description>
-       </item>
-       
-       <item>
-               <title>Using the Kodi API to play Youtube videos</title>
-               <link>http://people.skolelinux.org/pere/blog/Using_the_Kodi_API_to_play_Youtube_videos.html</link>
-               <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Using_the_Kodi_API_to_play_Youtube_videos.html</guid>
-                <pubDate>Sun, 2 Sep 2018 23:40:00 +0200</pubDate>
-               <description>&lt;p&gt;I continue to explore my Kodi installation, and today I wanted to
-tell it to play a youtube URL I received in a chat, without having to
-insert search terms using the on-screen keyboard.  After searching the
-web for API access to the Youtube plugin and testing a bit, I managed
-to find a recipe that worked.  If you got a kodi instance with its API
-available from http://kodihost/jsonrpc, you can try the following to
-have check out a nice cover band.&lt;/p&gt;
-
-&lt;p&gt;&lt;blockquote&gt;&lt;pre&gt;curl --silent --header &#39;Content-Type: application/json&#39; \
-  --data-binary &#39;{ &quot;id&quot;: 1, &quot;jsonrpc&quot;: &quot;2.0&quot;, &quot;method&quot;: &quot;Player.Open&quot;,
-  &quot;params&quot;: {&quot;item&quot;: { &quot;file&quot;:
-  &quot;plugin://plugin.video.youtube/play/?video_id=LuRGVM9O0qg&quot; } } }&#39; \
-  http://projector.local/jsonrpc&lt;/pre&gt;&lt;/blockquote&gt;&lt;/p&gt;
-
-&lt;p&gt;I&#39;ve extended kodi-stream program to take a video source as its
-first argument.  It can now handle direct video links, youtube links
-and &#39;desktop&#39; to stream my desktop to Kodi.  It is almost like a
-Chromecast. :)&lt;/p&gt;
-
 &lt;p&gt;As usual, if you use Bitcoin and want to show your support of my
 activities, please send Bitcoin donations to my address
 &lt;b&gt;&lt;a href=&quot;bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&quot;&gt;15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&lt;/a&gt;&lt;/b&gt;.&lt;/p&gt;
Nettsider og blogg.