oreoshake

Keybase proof

I hereby claim:

• I am oreoshake on github.
• I am oreoshake (https://keybase.io/oreoshake) on keybase.
• I have a public key ASD4N6g__7GEtuosEF4aKnCo2xivSd0DBYPcuzSKD4HQbgo

To claim this, I am signing this object:

oreoshake

Credentials: I created the secure_headers library which essentially does the same thing. I also built the scala library in use at twitter today.

secure_headers used to have to_json/from_json functionality (pull request) but I removed it when I rewrote the library (for use at GitHub). This implementation would not be compatible with my implementation which was inspired by this proposal.

JSON structure

I think it would be better to collapse all directive source lists to a flat structure. i.e. instead of having sub elements for "allow" (an array), "self" (boolean), "unsafe-inline" (boolean), "unsafe-eval" (boolean), just have a directive accept an array containing those values. This model matches the spec more closely and in my experience just creates more confusion. While it does have the benefit of validation (against types like unsafe-inli

oreoshake

ddd

oreoshake

require 'rubygems'
require 'octokit'
require 'bundler/audit/cli'
require 'bundler/audit/database'
require 'parallel'

Bundler::Audit::CLI.new.update

ORG = ARGV[0] || "github"

oreoshake

<input type="file" id="input"><br>
<img id="output">
<canvas id="canvas" style="display:none"></canvas>

<script>
  // from http://stackoverflow.com/questions/19032406/convert-html5-canvas-into-file-to-be-uploaded
  function uploadCanvas(dataURL) {
    var blobBin = atob(dataURL.split(',')[1]);
    var array = [];
    for(var i = 0; i < blobBin.length; i++) {

oreoshake

For testing: http://referrerrerr.herokuapp.com/

Firefox

• 35: doesn't respect the referrer meta tag at all (defaulting to no-referrer-when-downgrade behavior)
• 36: respects no-referrer, origin, no-referrer-when-downgrade, unsafe-url and defaults to origin
• 37: respects ^^^ and 'origin-when-crossorigin'

Chrome

• <= 39: ???
• 40: respects no-referrer, origin, no-referrer-when-downgrade, unsafe-url and defaults to no-referrer

oreoshake

<BorderPane fx:id="root_pane" maxHeight="-Infinity" maxWidth="-Infinity" minHeight="800" minWidth="1000" prefHeight="800.0" prefWidth="1024.0" xmlns="http://javafx.com/javafx/8" xmlns:fx="http://javafx.com/fxml/1">
   <center>
      <TabPane fx:id="tab_pane" tabClosingPolicy="ALL_TABS" BorderPane.alignment="CENTER" />
   </center>
</BorderPane>

oreoshake

[
  {
    "id": 186,
    "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36",
    "classification": "javascript_href",
    "created_at": "2014-09-10T02:22:04.686Z",
    "updated_at": "2014-09-10T02:22:04.686Z",
    "weak_id": "1UStqNc8fKXFDV9rEtrV28TtjhbuwNpJURlvr4LKJnU=",
    "report": "{\"csp-report\":{\"document-uri\":\"http://csp-inline-fingerprint.herokuapp.com/csp/javascript_href\",\"referrer\":\"http://csp-inline-fingerprint.herokuapp.com/\",\"violated-directive\":\"style-src 'none'\",\"original-policy\":\"default-src 'none'; script-src 'none'; style-src 'none'; report-uri /csp/javascript_href?id=1UStqNc8fKXFDV9rEtrV28TtjhbuwNpJURlvr4LKJnU=\",\"blocked-uri\":\"\",\"source-file\":\"chrome-extension://gighmmpiobklfepjocnamgkkbiglidom\",\"line-number\":102,\"column-number\":47,\"status-code\":200}}"
  },

oreoshake

<img id="asdf" src="asdf">
<script>
$('#asdf').error(function(e) {
  alert("FAIL")
});
</script>

oreoshake

val reasonFiltered: Option[String] = {
    val sourceFileString = sourceFile.getOrElse("").toLowerCase

    if ("localhost" == reportHost || "localhost" == blockedHost
        || "127.0.0.1" == reportHost || "127.0.0.1" == blockedHost) {
      Some("localhost")
    } else if (sourceFileString.startsWith("resource://")
        || blockedUri.contains("addons.mozilla.org%22%3B%0Avar%20c%3D%22FastestFox")) {
      Some("firefox_extension")
    } else if (sourceFileString.startsWith("chromenull://") || blockedUri.startsWith("chromenull://")) {