CSP, SRI and CORS

Written on 13 February 2018, 09:10pm

Tagged with: , , ,

Content Security Policy (CSP)

The modern browsers are able to interpret the Content-Security-Policy HTTP header that defines which dynamic assets are allowed to load on a given website. Alternatively, the CSP content can be sent using meta HTML tags.

Example:


// allow everything but only from the same origin:
default-src 'self'; 
// allow JS but only from example.eu and from the same origin:
script-src 'self' https://example.eu/myapp; 
// allow XMLHttpRequests but only from example.eu and the same origin:
connect-src 'self' https://example.eu/myapp; 

You can find all the possible directives here and a tool that can generate your CSP header here.

The amazing thing about CSP is the Report-URI attribute, which will report the deviations from the policy to the specified URL:

Content-Security-Policy: default-src 'self'; 
report-uri http://reportcollector.example.com/collector.cgi 

One of the services collecting such reports is report-uri.com.

Subresource_Integrity (SRI)

SRI is a very simple and effective concept: the modern browsers load a given asset only if its hash matches the one defined in the ‘integrity’ attribute.

So instead of doing this:

<script src="//www.example.com/script.js" type="text/javascript"></script>;

it’s recommended to do this:

<script src="//www.example.com/script.js" type="text/javascript"
integrity="sha256-Abhisa/nS9WMne/YX+dqiFINl+JiE15MCWvASJvVtIk="
crossorigin="anonymous"></script>;

or even better, link each version of the remote asset with its own URL and hash:

<script src="//www.example.com/1.0.1/script.js" type="text/javascript"
integrity="sha256-Cng8gUe98XCqh5hc8nAM3y5I1iQHBjzOl8X3/iAd4jE=" 
crossorigin="anonymous"></script>

Cross-Origin Resource Sharing (CORS)

Problem:
– a script on client.com wants to access some data from server.com (ex. XMLHttpRequest)
– by default, the same-origin browser policy blocks this request

Solution:
– but by adding some special response headers, server.com can allow the script client.com to access the data.

The modern browsers have implemented a mechanism allowing scripts (like XMLHTTPRequest) to make cross-domain requests. This is Cross-Origin Resource Sharing and it uses a relatively less used HTTP request method (OPTIONS) plus several response headers (Access-Control-Request-Method, Access-Control-Request-Headers, etc)

Resources from Mozilla Development Network (MDN):

Glossary: CSP, SRI, CORS

Technical details: CSP, SRI, CORS

Context

Over the weekend, hackers injected thousands of websites—including UK and US government sites—with code that hijacked visitors’ computers to mine cryptocurrency.

The attack, noticed on Sunday by security researcher Scott Helme, was pulled off by compromising a single plugin that was used by all of the affected sites: Browsealoud, a reputable suite of accessibility and translation tools. According to Helme, the plugin was edited by attackers to embed a script that uses a site visitor’s computer to do the complex math that generates new digital coins (in this case, Monero). This process, known as “mining,” can slow down the victim’s computer.

The attack loaded malicious Javascript onto visitors’ computers. The hackers behind the attack chose to mine cryptocurrency, but they had the power to do almost whatever they wanted.
Cryptocurrency Mining Hack That Compromised Thousands of Sites ‘Could Have Been a Catastrophe’

Scott Helme: Protect your site from Cryptojacking with CSP + SRI
Troy Hunt: Trust in Third Party Libraries

Working around a metered paywall

Written on 11 March 2017, 10:20pm

Tagged with: , , , ,

Back in 2011, when I started this blog, I had a list of things I wanted to talk about. I recently reviewed this list and I noticed that one of my questions back then was about the restriction of content: after reaching a certain number of free articles, some websites ask to pay before continuing. This system is named metered paywall and one example of website using this mechanism is NYTimes.com.

I was curious about the technical implementation of this system and I did a little research (fun Saturday evening project 🙂 ). After reaching the maximum number of free articles, I tried to see how easy it is to continue reading.
First, with the stateless design of HTTP in mind, I tried clearing the browser storage:

No success, so moving on.
Second, I noticed that I could bypass the metered paywall by opening articles in incognito windows.
Third, I also noticed that disabling JavaScript in a normal browser window also turned off the paywall:

This only means one thing: that the NYTimes metered paywall is client-side only, meaning that it can be overridden by disabling JavaScript. I was expecting a server side implementation, but it looks like the client-side was enough for NYTimes.
With this in mind, it took me only a few minutes to find the JS file implementing the metered paywall and adding it in AdBlock Plus. I will not disclose it here; the plan is to get in touch with NYTimes to confirm this is the intended behavior. I’ll update this post if I have more news.

PS: Yes, I do have a NYTimes subscription 🙂

Update April 2017: I cancelled my NY Times subscription:

Getting started with node.js

Written on 4 December 2012, 09:35pm

Tagged with: , ,

Update: Only today, 11 December you can get the Jump Start Node.js eBook for $11 instead of $19: http://xmas.sitepoint.com/#day/13
Or you can get the Node.js + Coffee script bundle for $19.
——————————–
The guys on SitePoint have a good starting point if you wish to start learning node.js: the Jump Start to Node.js.
In no more than 30 minutes you can create your first node.js application that connects to MongoDB to insert data.
Step 1: Watch the video below (6 minutes)

Step 2: Download the first chapter of the book for free (2 minutes)
Step 3: follow the example explained in this chapter (22 minutes 🙂 ).
You will need to create a free MongoLab account to have your database in the cloud.
You will have to add/edit the following pages:

  • app.js
  • form.html
  • package.json
  • lib/db.js
  • models/User.js

In the end, the app tree should look like:

    The digital edition of the book costs $19.

Node.js is different. It lets you write front-end AND back-end code in a unified language, leading to staggeringly fast and scalable projects!