Do connection and message coexist in CSP / Pi calculus?

Berkely Socket API has two different kinds of network sockets:

  • byte stream sockets: connection-oriented and message-less
  • datagram sockts: connection-less and message-oriented.

In Pi Calculus (and CSP), there is both channel and message.

  • Is it correct that a channel is a connection? Or what is the difference between them?
  • How do connection and message coexist and work together?

Thanks.

content security policy – What do I risk if I use CSP header style-src-attr ‘unsafe-hashes’

I’m wondering if I’m risking anything if I use

style-src-attr 'unsafe-hashes' <hash>

in my CSP header.

I need to allow an external script to run, and it uses the style attribute on some elements.

I have no control over the external script, and if there is a malicious person behind it, what might an attack vector be? (considering unsafe-inline has not been added)

How can a style attribute execute scripts or access my DOM or otherwise cause anything harmful to happen?

magento2 – CSP Whitelist like ignored. How to set it?

I’m trying to set the CSP whitelist for Magento. I tried in many ways but I’m not able to make it works.

The module is enabled but csp_whitelist.xml seems like ignored. After changed the file I run, of course, setup:upgrade and I cleared the cache.

My configuration:

  • Magento 2.4.0 served by Apache
  • Varnish Cache in front of Apache
  • Nginx as reverse proxy and SSL Termination in front of Varnish

This is the app/code/Vendor/Module/ I created:

registration.php

<?php

MagentoFrameworkComponentComponentRegistrar::register(
    MagentoFrameworkComponentComponentRegistrar::MODULE,
    'Vendor_Module',
    __DIR__
);

etc/module.xml

<?xml version="1.0" ?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:Module/etc/module.xsd">
    <module name="Vendor_Module" setup_version="1.0.0"/>
</config>

etc/config.xml

<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd">
    <default>
        <csp>
            <mode>
                <storefront>
                    <report_uri></report_uri>
                    <report_only>1</report_only>
                </storefront>
                <admin>
                    <report_uri></report_uri>
                    <report_only>1</report_only>
                </admin>
            </mode>
        </csp>
    </default>
</config>

etc/csp_whitelist.xml

<?xml version="1.0"?>
<csp_whitelist xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Csp/etc/csp_whitelist.xsd">
    <policies>
        <policy id="default-src">
            <values>
                <value id="paypal" type="host">*.paypal.com</value>
            </values>
        </policy>
        <policy id="script-src">
            <values>
                <value id="cloudflare" type="host">*.cloudflare.com</value>
                <value id="twitter.com" type="host">*.twitter.com</value>
                <value id="google-analytics" type="host">*.google-analytics.com</value>
                <value id="googletagmanager.com" type="host">googletagmanager.com</value>
                <value id="google" type="host">*.google.com</value>
                <value id="gstatic" type="host">*.gstatic.com</value>
                <value id="trustedshops" type="host">*.trustedshops.com</value>
                <value id="fontawesome" type="host">*.fontawesome.com</value>
                <value id="addthis.com" type="host">*.addthis.com</value>
                <value id="s7.addthis.com" type="host">s7.addthis.com</value>
                <value id="m.addthis.com" type="host">m.addthis.com</value>
                <value id="addthis-analytics" type="host">z.moatads.com</value>
                <value id="addthis-cdn" type="host">*.addthisedge.com</value>
                <value id="googleapis" type="host">apis.google.com</value>
                <value id="graph-facebook" type="host">graph.facebook.com</value>
                <value id="widgets-pinterest" type="host">widgets.pinterest.com</value>
            </values>
        </policy>
        <policy id="style-src">
            <values>
                <value id="cloudflare" type="host">*.cloudflare.com</value>
                <value id="googleapis" type="host">*.googleapis.com</value>
                <value id="twitter.com" type="host">*.twitter.com</value>
                <value id="gstatic" type="host">*.gstatic.com</value>
                <value id="typekit" type="host">*.typekit.net</value>
                <value id="fontawesome" type="host">*.fontawesome.com</value>
                <value id="fontawesomecdn" type="host">*.bootstrapcdn.com</value>
            </values>
        </policy>
        <policy id="img-src">
            <values>
                <value id="cloudflare" type="host">*.cloudflare.com</value>
                <value id="googleadservices" type="host">*.googleadservices.com</value>
                <value id="google-analytics" type="host">*.google-analytics.com</value>
                <value id="paypal" type="host">*.paypal.com</value>
                <value id="twitter.com" type="host">*.twitter.com</value>
                <value id="vimeocdn" type="host">*.vimeocdn.com</value>
                <value id="data" type="host">'self' data:</value>
            </values>
        </policy>
        <policy id="connect-src">
            <values>
                <value id="cloudflare" type="host">*.cloudflare.com</value>
                <value id="twitter.com" type="host">*.twitter.com</value>
                <value id="paypal" type="host">*.paypal.com</value>
            </values>
        </policy>
        <policy id="font-src">
            <values>
                <value id="cloudflare" type="host">*.cloudflare.com</value>
                <value id="twitter.com" type="host">*.twitter.com</value>
                <value id="gstatic" type="host">*.gstatic.com</value>
                <value id="typekit" type="host">*.typekit.net</value>
                <value id="googleapis" type="host">*.googleapis.com</value>
                <value id="fontawesome" type="host">*.fontawesome.com</value>
                <value id="fontawesomecdn" type="host">*.bootstrapcdn.com</value>
            </values>
        </policy>

        <policy id="frame-src">
            <values>
                <value id="twitter.com" type="host">*.twitter.com</value>
                <value id="google.com" type="host">*.google.com</value>
                <value id="addthis.com" type="host">*.addthis.com</value>
            </values>
        </policy>

        <policy id="form-action">
            <values>
                <value id="twitter.com" type="host">*.twitter.com</value>
            </values>
        </policy>
    </policies>
</csp_whitelist>

Any Ideas?

CSP heuristics to help avoid redundancy while checking values for constraint inconsistency?

I’m a complete beginner. Please forgive my ignorance.Trying to learn about CSP online, I noticed a lot of the focus on search methods and heuristics which tell you which variable to expand next (e.g. most constrained variable) and those that tell you which value to try first (e.g. least constraining value) but I’ve yet to see heuristics that relate to the ordering of constraints. Since I’m doing everything by hand, I notice a lot of redundancy when eliminating values from variable domains. How do you go about checking for violated constraints in a way that is efficient? Say constraint A will have me eliminate odd numbers 1 to 1000 and constraint B will have me wipe out everything above 250. Intuitively, it feels like order matters as I would waste my time cherry picking even numbers above 250 to only later find out that anything above 250 was not consistent in the first place. I apologize for lacking the proper terminology, my understanding is mostly intuitive. I hope it makes sense. Thanks in advance! I’m mostly looking to acquire a conceptual understanding of selected topics in computer science so if you have book recommendations or any resource that would be appropriate for me as an interested layman, please don’t hesitate!

magento2.4 – Magento 2.4 CSP

I’ve got a whitelist csp_whitelist.xml with the following –

<?xml version="1.0"?> <csp_whitelist xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Csp/etc/csp_whitelist.xsd">
<policies>
    <policy id="script-src">
        <values>
            <value id="cloudflare" type="host">*.cloudflare.com</value>
            <value id="twitter.com" type="host">*.twitter.com</value>
            <value id="google-analytics" type="host">*.google-analytics.com</value>
            <value id="twimg" type="host">*.twimg.com</value>
            <value id="gstatic" type="host">*.gstatic.com</value>
            <value id="trustedshops" type="host">*.trustedshops.com</value>
            <value id="usercentrics" type="host">*.usercentrics.eu</value>
            <value id="fontawesome" type="host">*.fontawesome.com</value>
            <value id="mailchimp" type="host">*.mailchimp.com</value>
            <value id="chimpstatic" type="host">*.chimpstatic.com</value>
        </values>
    </policy>
    <policy id="style-src">
        <values>
            <value id="cloudflare" type="host">*.cloudflare.com</value>
            <value id="googleapis" type="host">*.googleapis.com</value>
            <value id="twitter.com" type="host">*.twitter.com</value>
            <value id="twimg" type="host">*.twimg.com</value>
            <value id="gstatic" type="host">*.gstatic.com</value>
            <value id="typekit" type="host">*.typekit.net</value>
            <value id="trustedshops" type="host">*.trustedshops.com</value>
            <value id="usercentrics" type="host">*.usercentrics.eu</value>
            <value id="fontawesome" type="host">*.fontawesome.com</value>
        </values>
    </policy>
    <policy id="img-src">
        <values>
            <value id="designacake" type="host">*.design-a-cake.co.uk</value>
            <value id="cloudflare" type="host">*.cloudflare.com</value>
            <value id="klarna-base" type="host">*.klarna.com</value>
            <value id="googleadservices" type="host">*.googleadservices.com</value>
            <value id="google-analytics" type="host">*.google-analytics.com</value>
            <value id="paypal" type="host">*.paypal.com</value>
            <value id="twitter.com" type="host">*.twitter.com</value>
            <value id="twimg" type="host">*.twimg.com</value>
            <value id="vimeocdn" type="host">*.vimeocdn.com</value>
            <value id="youtube-img" type="host">*.ytimg.com</value>
            <value id="data" type="host">'self' data:</value>
            <value id="lightemporium" type="host">*.lightemporium.com</value>                
            <value id="usercentrics" type="host">*.usercentrics.eu</value>
        </values>
    </policy>
    <policy id="connect-src">
        <values>
            <value id="cloudflare" type="host">*.cloudflare.com</value>
            <value id="twitter.com" type="host">*.twitter.com</value>
            <value id="paypal" type="host">*.paypal.com</value>
            <value id="twimg" type="host">*.twimg.com</value>
        </values>
    </policy>
    <policy id="font-src">
        <values>
            <value id="cloudflare" type="host">*.cloudflare.com</value>
            <value id="twitter.com" type="host">*.twitter.com</value>
            <value id="gstatic" type="host">*.gstatic.com</value>
            <value id="typekit" type="host">*.typekit.net</value>
            <value id="twimg" type="host">*.twimg.com</value>
            <value id="trustedshops" type="host">*.trustedshops.com</value>
            <value id="googleapis" type="host">*.googleapis.com</value>
            <value id="fontawesome" type="host">*.fontawesome.com</value>
        </values>
    </policy>

    <policy id="frame-src">
        <values>
            <value id="twitter.com" type="host">*.twitter.com</value>
        </values>
    </policy>

    <policy id="form-action">
        <values>
            <value id="twitter.com" type="host">*.twitter.com</value>
        </values>
    </policy>
</policies></csp_whitelist>

SInce updating to Magento 2.4 the console output is:

[Report Only] Refused to load the script ‘https://chimpstatic.com/mcjs-connected/js/users/cf09ee9019b287188eeb127cc/8f22db0f724fa7989f8c1b5cd.js’ because it violates the following Content Security Policy directive: “script-src assets.adobedtm.com secure.authorize.net test.authorize.net www.googleadservices.com www.google-analytics.com www.paypalobjects.com js.braintreegateway.com www.paypal.com geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.sandbox.paypal.com t.paypal.com s.ytimg.com video.google.com vimeo.com www.vimeo.com www.youtube.com *.payments-amazon.com *.payments-amazon.co.uk *.payments-amazon.co.jp *.payments-amazon.jp *.payments-amazon.it *.payments-amazon.fr *.payments-amazon.es *.cloudflare.com *.twitter.com *.google-analytics.com *.twimg.com *.gstatic.com *.trustedshops.com *.usercentrics.eu *.fontawesome.com *.mailchimp.com *.chimpstatic.com ‘unsafe-eval’ data: yotpo.com www.yotpo.com p.yotpo.com staticw2.yotpo.com w2.yotpo.com ‘self’ ‘unsafe-inline’ ‘unsafe-eval'”. Note that ‘script-src-elem’ was not explicitly set, so ‘script-src’ is used as a fallback.
Blockquote

magento2.3 – Magento 2.3.5 CSP data (Content Security Policy): Image

Has anyone found a way to integrate the data: image / png as csp_whitelist?

[Report only] Refuses to load the image data: image / png; base64, iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR4nGP6zwAAAgcBApocMXEAAAAASUVORK5CYII = & # 39 ;, as this against the following guidelines .com t.paypal.com www.paypal.com www.paypalobjects.com fpdbs.paypal.com fpdbs.sandbox.paypal.com * .vimeocdn.com s. ytimg.com * .cloudflare.com https: // cdn. Klarna.com * .paypal.com https://s.ytimg.com * .usercentrics.eu & # 39; self & # 39; & # 39; uncertain-inline & # 39; ".

Content Security Policy – CSP: Is there a way to prevent inline scripts that are dynamically created by a trusted external script?

Suppose I have a simple web application that uses a single JavaScript file (JS) loaded from its own domain and that has implemented the restrictive content security policy (CSP) from default-src 'self'. Inside is a saved XSS where the JS file makes an Ajax call to an API that returns content stored in a database, and that content (which comes from untrusted user input) contains inline JavaScript. The JS file creates an element in the page's document and sets the HTML content to the retrieved content. Let us assume that this is the necessary method to do what is required and assume that it is not possible to clean / encode the input. I know that user input should always be cleaned up, just for the purposes of this question, skip this suggestion as a solution.

Is there a way to set a CSP to block this inline JavaScript dynamically placed on the page by trusted JavaScript?

Here is a minimal working example (you may need to deploy it from a simple HTTP server, e.g. php -S localhost:58000instead of loading as .html File)

csp-test.html::



  
    
    
    
    
  
  
     
  

csp-test.js::

console.log('trusted ext script') // executed, OK
i = document.createElement('img')
i.src = "http://security.stackexchange.com/y"
i.addEventListener('error',
  function(){ console.log('img by trusted ext script'); }) // executed, HOW TO BLOCK THIS?
document.body.append(i)

Result:

Enter the image description here

Why CSP vs. XSS?

I understand that CSP can be beneficial against multiple attack methods (e.g. clickjacking, XSS), but since it is specifically XSS – why is it a solution?

My reason for asking this question comes from a question I was asked recently. "If input cleanup / output encoding always works, why is XSS still a thing?"

My first thoughts were: Because it's not always that easy. XSS can exist in multiple contexts, in various forms, etc., and CSP (if done correctly) can be an easy way to prevent this. I have always viewed it primarily as a deep defense measure that should never be used as the only mechanism against XSS.

Are there cases where cleaning up the input / coding the output against XSS is not sufficient?

Algorithm Analysis – Why isn't the N-Queens problem used as an experiment in CSP work?

I am studying CSP for my master thesis. I found that a lot of CSP-based work described N-Queens as an introduction and actually experimented with random CSP problems.

If so, when I am doing a master's thesis in CSP, it makes sense to experiment with algorithms with N-Queens.

How can the N-Queens problem be changed? CSP parameters such as tightness, restriction density for experimentation?

I wonder why many researchers test their CSP algorithms with zebra problem, sudoku and random CSP, but why not with the N-Queens problem? Isn't the N-Queens problem better with CSP?