Dirk

Dirk, 1 year ago

That’s the good thing with federation. You can participate in communities without visiting the instance even once.

Dirk, 1 year ago

Also, strict CSP would prevent it entirely.

Dirk, 1 year ago

Another reason to block this TLD in the firewall solution.

Dirk, 1 year ago

To prevent execution of scripts not referenced with the correct nonce:

<pre style="background-color:#ffffff;">
<span style="color:#323232;">script-src 'self' 'nonce-$RANDOM'
</span>

To make it super strict, this set could be used:

<pre style="background-color:#ffffff;">
<span style="color:#323232;">default-src 'self';
</span><span style="color:#323232;">script-src 'nonce-$RANDOM'
</span><span style="color:#323232;">object-src 'none';
</span><span style="color:#323232;">base-uri 'none';
</span><span style="color:#323232;">form-action 'none';
</span><span style="color:#323232;">frame-ancestors 'none';
</span><span style="color:#323232;">frame-src 'none';
</span><span style="color:#323232;">require-trusted-types-for 'script'
</span>

Especially the last one might cause the most work, because the “modern web development environment” simply cannot provide this. Also: form-action ‘none’; should be validated. It should be set to self if forms are actually used to send data to the server and not handled by Javascript.

The MDN has a good overview: developer.mozilla.org/…/Content-Security-Policy

Dirk, 1 year ago

Because .zip is a commonly used file extension.

Dirk, 1 year ago

They can and they do. Using a commonly known and used file extension to “hide” a malicious URL is just easier.

www.youtube.com/watch?v=GCVJsz7EODA