Why does Chrome claim that this stylesheet violates the content security guidelines?

I have a website that integrates several CSS stylesheets from my own server and a stylesheet from a remote server.

I wanted to write my content security policy to allow all local stylesheets and only that one specific remote stylesheet. That was my attempt:

style-src 'self' 'sha256-L/W5Wfqfa0sdBNIKN9cG6QA5F2qx4qICmU2VgLruv9Y='

However, when I visited my website, Chrome 78 claimed that the remote stylesheet did not match existing content security policies and declined to apply it. I looked at this similar question where the solution should be applied 'unsafe-hashes', which did not solve my problem. It seems that there is a difference between an externally bound script and an inline script.

So my question is, why does Chrome claim that this script is not allowed? And what do I need to allow this script? (Apart from a general whitelist for the domain)

What should be considered to detect a security error?

I found one recently Iframe injection Vulnerability on this site. This website allows users to Create and name projects, So I inserted an iframe on the naming function that can Redirect the user to a malicious website, But I do not know if the projects are that way visible to other users or to the administratorsSo I do not know if this is a security hole. I am very grateful if you can answer my question. Many thanks.

Security – Forensic storage tracking on AWS, Azure and Google Cloud Platform (GCP)

When I run a virtual machine locally with VMWare, I can trivially retrieve RAM by pausing the machine and then copying the VMEM file.

If I use a VM with XenServer, I can trigger a dump.

Is there a way to back up a VM's storage in AWS, GCP, or Azure without logging into the VM and running a dumpster?

LVM for LUKS Implementation – Information Security Stack Exchange

LVM under LUKS is the only secure option for encrypting a Linux / Ubuntu USB system. If someone gets access to an unencrypted USB device that is not LVM on LUKS, he knows what it is and what it is.

However, LVM on LUKS is not easy to implement. Would anyone be kind enough to tell you how to do it in the simplest steps?

Many thanks.

Security – Is it possible to fake a recipient in an SMTP transaction? If not, how does SMTP prevent this?

This is possible even without an unauthorized SMTP server. Alice does not have access to SMTP communication, so she may not know which address you sent the email to.

The only thing Alice has access to is the email headers.

The SMTP server only handles the SMTP envelope.

Nowhere is it written that the two must agree.

You can do this easily:

HELO mx01.treyresearch.net
MAIL FROM: 
RCPT TO: 
RCPT TO: 
DATA
From: Charlie 
To: Alice , Bob 
Subject: Information for Bob
Date: Fr, 06 Dec 2019 15:53:56 +0100
Message-ID: 

Hello Alice, 

this is the information you wanted me to share with Bob.

Greetings, 
    Charlie
.

As you can see, we have Bob in the To: Header of the message, but we just did not tell the server to send the message to him. Conversely, we have instructed the server to send the message to a secret listener, but the secret listener is not displayed anywhere in the message.

Samsung – Custom Android OS / Rom with enhanced security protection [Development Help Needed]

So I was wondering (I searched the internet and various websites and unfortunately did not find what I needed)

Requirement:

  • I want to customize and create the Android operating system for my mobile phone.

My device information for physical tests:

  • Samsung Galaxy J1 Ace, SM-J111F
  • Run Android 5.1.1 (I've updated the ROM from 4.x.x to 5.1.1)

overview

I would like this mod / patch to be added to the 5.1 version of Android, but if it can be integrated into all versions, that would be great, but I am amming for Android 5.1.x.

Adjustments include:

  • Q1: Password protection for the recovery menu (such as BitLocker password query)
  • Q2: Password protection for the OTA download menu (over-the-air) (such as the BitLocker password query)
  • Q3: Password protection for the flashing ABD (enter password using the ABD prompt before a user can perform updates or data uploads / downloads on the device)

In terms of Q3 (as above) I would like to limit the number of accepted passwords to at least 5 minutes per password attempt. (so 12 password attempts would take to complete an hour)

Your help

  • Could you please tell me which files may need to be changed, as well as information about the tutorials I can follow?
  • Start from the beginning (I have no Android OS development experience, except a few apk apps from Unity3D)
  • I'm a software developer and I've been working with embedded systems running C and C ++. A few web apps and some backend C # systems.

Thank you for the help and support in advance!

Is this PHP Smarty template statement a security hole?

$smarty->assign("action", $_SERVER("PHP_SELF"));

PHP_SELF is set by the browser on the client side so that it can be changed by an attacker. Is Smarty assigned "Action" to the form action field?
So, can an attacker control where POST data is being sent or view the variables set on the server side?

Do you have any further defects in this statement?

Security – If I travel from Southeast Asia to Japan in a week, should I worry about the political situation between Japan and North Korea?

Yes, you think, The name of the game in North Korea is Brinksmanship: they are pushing for concessions, but are not stupid enough to commit an actual warfare action such as the downing of a passenger plane.

North Korea is not testing antiaircraft missiles, either ballistic Rockets aimed at specific targets on the ground. These fly high and far (> 1000 km altitude is not uncommon), path beyond the cruising altitude of passenger aircraft (10 km).

After all, not only Japanese planes do not fly into North Korean airspace, but routes to Southeast Asia do not fly near the country. Here is Tokyo to Bangkok (courtesy of gcmap.com), which does not even cross South Korea (the peninsula top right).

Enter image description here