chloe chloenlpvlemmmmd.onion



chloe chloenlpvlemmmmd.onion

Scroll Down

CSP hash on scripts, SRI and 'require-sri-for' - no more 'self'!

In Content Security Policy (CSP) version 3 it will be possible to allow hash expression on script files, that is .js-files. This was not possible in »

chloeon Web, English12 April 2017

Dealing with user uploaded files

If you have a website that lets the user upload some sort of file, for example, profile pictures/avatar, attachments etc. you can use web browser »

chloeon Web, English04 December 2016

About the security implementations in Tor

Tor is a very interesting project and is unique of its kind. Tor is not perfect but Tor is designed to prevent many of the known »

chloeon English, Tor, Privacy10 September 2016

(Sub)origins - An introduction to Suborigins

Same-origin policy [RFC6454] (SOP) is one the most important security feature we have on the web. For instance, without SOP it could be possible for any »

chloeon Web01 September 2016

More control with Clear-Site-Data and Feature-Policy

W3C and WICG (Web Incubator CG) keep pushing out new defense technologies this year. This article will shortly describe two new headers. We will discuss their »

chloeon English, Web19 August 2016

Protect against Cache-attacks

I asked my friend (or enemy depending how you look at it) avlidienbrunn if he could name an interesting attack and he said "cache attacks". Indeed, »

chloeon English, Web16 August 2016

Let's look at some of the security at Github

Github is well known for its awesome security and has often been first in line to deploy new security mechanism in production. However, some of the »

chloeon English, Web15 August 2016

Increase security by enforcing multiple Content Security Policies

In my article "I don't trust your browser" I wrote about using CSP as a <meta> - tag and in the response headers that »

chloeon English, Web07 August 2016

Hardened Content-Security-Policy - Part 2

This is the second blog post in the series Hardened Content-Security-Policy where I write about some tips for securing Content-Security-Policy (CSP). Part 1 can be found »

chloeon English, Web30 July 2016

Bypassing paths in CSP with open redirects + mitigation

In CSP > 1 you can use paths instead of just origin (scheme, port & domain) to specify a whitelisted resource. For example, script-src »

chloeon English, Web25 July 2016

Protect against HTML-extraction

Imagine that a hacker has managed to inject HTML into Facebooks login page. Extremely serious. But, to Facebook's advantage Content Security Policy (CSP) is in use »

chloeon English, Web19 July 2016

Hardening Content Security Policy (CSP)

CSP is a great invention, but it can still be implemented poorly and not give its purposed protection. Even more can CSP protect against more than »

chloe24 June 2016

I don't trust your browser

Lately I've been analyzing a huge CSP-report file and most of the reports are actually due to browser behaviors such as extensions or some other form »

chloeon English, Web20 June 2016

Smart detection for passive sniffing in the Tor-network

If you haven't yet read about my previous research regarding finding bad exit nodes in the Tor network you can read it here. But the tl; »

chloeon English, Privacy, Tor16 June 2016

Fixing the CA PKI

The CA PKI That the Certificate Authority Public Key Infrastructure (CA PKI) is broken is probably something we already know by now. Although, I would still »

chloeon English, Privacy27 May 2016
© 2017