Skip to content

Instantly share code, notes, and snippets.

View oreoshake's full-sized avatar
:octocat:
I used to make it easier to develop this site securely

Neil Matatall oreoshake

:octocat:
I used to make it easier to develop this site securely
175 followers · 14 following
View GitHub Profile
@oreoshake
oreoshake / gist:5138970
Last active December 14, 2015 19:48
hash of arrays, never again
1.9.3-p327 :002 > a = {:b => [3,4,5]}
=> {:b=>[3, 4, 5]}
1.9.3-p327 :003 > b = a.dup
=> {:b=>[3, 4, 5]}
1.9.3-p327 :004 > b[:b] << 'asdf'
=> [3, 4, 5, "asdf"]
1.9.3-p327 :005 > a
=> {:b=>[3, 4, 5, "asdf"]}
1.9.3-p327 :006 > b
=> {:b=>[3, 4, 5, "asdf"]}
@oreoshake
oreoshake / gist:5281050
Last active December 15, 2015 15:19
Woke up, saw a javascript parser generator, wrote this
w3:
policy
= directive (" "? ";" " "? directive?)*
directive
= report_uri_directive / declaritive_directive
report_uri_directive
= "report-uri " host_source? [a-zA-Z/_-]*
declaritive_directive
= name:directive_name " " sources:source_list {
@oreoshake
oreoshake / gist:5298160
Created April 3, 2013 03:12
Invalid CSP headers in the veracode report
chrome
"default-src *;script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl 'unsafe-inline' 'unsafe-eval' https://*.akamaihd.net http://*.akamaihd.net;style-src * 'unsafe-inline';connect-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.spotilocal.com:* https://*.akamaihd.net ws://*.facebook.com:* http://*.akamaihd.net;",
"default-src 'self' *.evocdn.co.uk *.rackcdn.com *.evocdn.evo.com *.google-analytics.com 'unsafe-eval' 'unsafe-inline'; style-src 'self' *.evocdn.co.uk *.rackcdn.com *.google-analytics.com 'unsafe-eval' 'unsafe-inline'; img-src 'self' *.evocdn.co.uk *.rackcdn.com *.evocdn.evo.com data: *.google-analytics.com https://c906980.ssl.cf3.rackcdn.com 'unsafe-eval' 'unsafe-inline'; frame-src 'self' 'unsafe-eval' 'unsafe-inline'; script-src 'self' eval-sc
@oreoshake
oreoshake / firefox spec
Created November 12, 2013 16:47
This was meant to be a CSP parser/validator with the ability to explain a policy and a violation report. It has support for the old school firefox headers and the standard header.
policy
= directive (" "? ";" " "? directive?)*
directive
= report_uri_directive / declaritive_directive
report_uri_directive
= "report-uri " host_source? [a-zA-Z/_\-.]*
declaritive_directive
= name:directive_name " " sources:source_list {
var winston = require("winston");
// inline/eval values are only valid in style/script/default blocks
@oreoshake
oreoshake / gist:f27e3678ddca4d4a8fa9
Last active November 10, 2021 22:15
Splunk query for mixed content in CSP reports
A csp report looks like
{
"csp-report": {
"document-uri": "http://example.org/page.html",
"referrer": "http://evil.example.com/haxor.html",
"blocked-uri": "http://evil.example.com/image.png",
"violated-directive": "default-src 'self'",
"original-policy": "default-src 'self'; report-uri http://example.org/csp-report.cgi"
}
@oreoshake
oreoshake / gist:2c8476f7ecda5fe930b7
Created August 21, 2014 07:42
val reasonFiltered: Option[String] = {
val sourceFileString = sourceFile.getOrElse("").toLowerCase
if ("localhost" == reportHost || "localhost" == blockedHost
|| "127.0.0.1" == reportHost || "127.0.0.1" == blockedHost) {
Some("localhost")
} else if (sourceFileString.startsWith("resource://")
|| blockedUri.contains("addons.mozilla.org%22%3B%0Avar%20c%3D%22FastestFox")) {
Some("firefox_extension")
} else if (sourceFileString.startsWith("chromenull://") || blockedUri.startsWith("chromenull://")) {
@oreoshake
oreoshake / gist:51d3982c1097b2cd1959
Created August 22, 2014 18:33
<img id="asdf" src="asdf">
<script>
$('#asdf').error(function(e) {
alert("FAIL")
});
</script>
@oreoshake
oreoshake / raw json dump
Created November 13, 2014 18:55
https://csp-inline-fingerprint.herokuapp.com/ results
This file has been truncated, but you can view the full file.
[
{
"id": 186,
"user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36",
"classification": "javascript_href",
"created_at": "2014-09-10T02:22:04.686Z",
"updated_at": "2014-09-10T02:22:04.686Z",
"weak_id": "1UStqNc8fKXFDV9rEtrV28TtjhbuwNpJURlvr4LKJnU=",
"report": "{\"csp-report\":{\"document-uri\":\"http://csp-inline-fingerprint.herokuapp.com/csp/javascript_href\",\"referrer\":\"http://csp-inline-fingerprint.herokuapp.com/\",\"violated-directive\":\"style-src 'none'\",\"original-policy\":\"default-src 'none'; script-src 'none'; style-src 'none'; report-uri /csp/javascript_href?id=1UStqNc8fKXFDV9rEtrV28TtjhbuwNpJURlvr4LKJnU=\",\"blocked-uri\":\"\",\"source-file\":\"chrome-extension://gighmmpiobklfepjocnamgkkbiglidom\",\"line-number\":102,\"column-number\":47,\"status-code\":200}}"
@oreoshake
oreoshake / fxml
Created January 9, 2015 21:02
aquafx tab pane issue
<BorderPane fx:id="root_pane" maxHeight="-Infinity" maxWidth="-Infinity" minHeight="800" minWidth="1000" prefHeight="800.0" prefWidth="1024.0" xmlns="http://javafx.com/javafx/8" xmlns:fx="http://javafx.com/fxml/1">
<center>
<TabPane fx:id="tab_pane" tabClosingPolicy="ALL_TABS" BorderPane.alignment="CENTER" />
</center>
</BorderPane>
@oreoshake
oreoshake / gist:13dfef90d3bd7dd9b1d6
Last active August 29, 2015 14:15
referrers and stuff

For testing: http://referrerrerr.herokuapp.com/

Firefox

  • 35: doesn't respect the referrer meta tag at all (defaulting to no-referrer-when-downgrade behavior)
  • 36: respects no-referrer, origin, no-referrer-when-downgrade, unsafe-url and defaults to origin
  • 37: respects ^^^ and 'origin-when-crossorigin'

Chrome

  • <= 39: ???
  • 40: respects no-referrer, origin, no-referrer-when-downgrade, unsafe-url and defaults to no-referrer