Skip to main content

Johan Bové

„ Your organization's data cannot be pasted here.“ is one of these corporate IT „security considerations“ that are imho useless - I can still make a screenshot- and only causes friction and employee unhappiness.

Johan Bové

Johan Bové

Johan Bové

My Known "Content-Security-Policy" htaccess configuration

2 min read

My current Known .htaccess Content-Security-Policy is full of tool urls.


<IfModule mod_headers.c>
Header set Content-Security-Policy: "default-src 'self'; frame-ancestors 'self' https://www.youtube-nocookie.com https://player.vimeo.com; base-uri 'self'; form-action 'self' https://www.brid.gy https://indieauth.com/ https://monocle.p3k.io/ https://aperture.p3k.io https://indigenous.abode.pub https://alltogethernow.io https://quill.p3k.io; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' https: data:; media-src *; worker-src 'self' https; font-src *; connect-src 'self'; frame-src 'self' https://www.youtube-nocookie.com https://player.vimeo.com;
    Header set X-Content-Security-Policy: "default-src 'self'; frame-ancestors 'self' https://www.youtube-nocookie.com https://player.vimeo.com; base-uri 'self'; form-action 'self' https://www.brid.gy https://indieauth.com/ https://monocle.p3k.io/ https://aperture.p3k.io https://indigenous.abode.pub https://alltogethernow.io https://quill.p3k.io; script-src 'self' 'unsafe-inline' 'unsafe-eval' ; object-src 'none'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' https: data:; media-src *; worker-src 'self' https; font-src *; connect-src 'self'; frame-src 'self' https://www.youtube-nocookie.com https://player.vimeo.com;
    Header set X-WebKit-CSP: "default-src 'self'; frame-ancestors 'self' https://www.youtube-nocookie.com https://player.vimeo.com; base-uri 'self'; form-action 'self' https://www.brid.gy https://indieauth.com/ https://monocle.p3k.io/ https://aperture.p3k.io https://indigenous.abode.pub https://alltogethernow.io https://quill.p3k.io; script-src 'self' 'unsafe-inline' 'unsafe-eval' ; object-src 'none'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' https: data:; media-src https:; worker-src 'self' https; font-src *; connect-src 'self'; frame-src 'self' https://www.youtube-nocookie.com https://player.vimeo.com;
</IfModule>

Johan Bové

Replied to a post on github.com :

@mapkyca How is HSTS involved in this? Are you referring to HTTP Strict Transport Security?

Johan Bové

Johan Bové

Chrome 72 and are not getting along. Multiple JavaScript console errors related to the "Known" object not being initialized yet. It all still works on Firefox 67. Going to have to do a full re-coding of Known's JavaScript implementation if this project is going to have to keep existing. Also, Content Security Policies and Indieweb don't get along very much yet either...

Johan Bové

Improving my Known site and template using Google's Lighthouse Audit

1 min read

As of today this is the Audit test result for "Desktop" (no throttling), with an authenticated session:

  • Performance: 100
  • Accessibility: 70
  • Best Practices: 79
  • SEO: 100

Next priority is to improve the score for "Accessibility".

  1. Image elements do not have alt attribute
  2. Form elements do not have associated labels
  3. Links do not have a discernible name

The "Best Practices" fixes will then be next:

  1. Does not use passive listeners to improve scrolling performance
  2. Links to cross-origin destinations are unsafe
  3. Includes front-end JavaScript libraries with known security vulnerabilities

 

The "known security vulnerabilities" is a tricky one as it requires updating the outdated Bootstrap version. 

Johan Bové

Johan Bové

Content-Security-Policy, although obviously a really good security measure for websites, broke Browser bookmarklets.