nice video... gained lot of knowledge . surely going to share your video ...hmmmm one thing i want to ask is if a site has implemented csp and script src is set to self ,,, along with that 3rd party sites are mentioned for executing their scripts , also used 'unsafe inline ' in the script-src tag. so how in this case an attacker or hacker can bypass csp... by taking advantage of unsafe inline
Hi Kyle, this is new to me, I did not know about the content security policy. I have a question though, won't this block certain browser extensions? I imagine that could annoy some users.
+Ante Šepić I'm not too knowledgeable about writing browser extensions but I believe they can define their own CSP: developer.chrome.com/extensions/contentSecurityPolicy So if the extension action is getting blocked by a CSP, that extension probably shouldn't be doing that action. Also a user can choose to disable the CSP in their browser too if desired. It's really a protection mechanism for the users in case a website they are visiting has been hijacked. The website developer defines a CSP to inform the user about the things they can trust. So why you could easily disable CSP in your browser, you wouldn't necessarily want to.
Why you set header to response rather than request? Also, instead of setting headers for all responses can we set seperately for each individual response?
+Vikram Jadhav Thanks! I used a vanilla JS app thrown together for demonstrating CSP. Not a great solution for building large apps, IMO but is simple and straight forward for small apps. I have some JS app architecture videos planned for the future.
there seems to be some kind of audio-problem like from minute 3:48. I tried listenging on different devices, with and without headphones, but no difference. maybe you could make an updated version with better audio?
Hi Kyle, great video, congratulations ! I get this error with Wordpress installation but not with a local installation. Do you know where I can find this setting ? Regards, ZP.
Hi dude, i've only just heard about this CSP thing i'm trying to add it to my site but i'm having some troubles. I have some scripts from Copyright house, DMCA, and comodo ssl certificate, but as soon as i add the csp line it stops showing them. I understand that i cannot use inline js with this enabled but then how do i refernce the scripts if this is so, would a function() call not be blocked in the html file or browser... Please help, I have posted this on StackOverflow aswell.
Its 2021 and this content never gets old. Thankyou for posting this. ))
Very nice, crisp and to the point.
Very helpful, Thanks!
Concepts are explained nicely with examples
Your explanations are so good! Thank you! I learned a lot 😃
i'm a simple man, i hear "bears" i like
Excelent, just what i needed, allow javascript only from two external sources
Been searching for this Kyle. Very important subject. I understand it a bit better now, thank you !
This is good for basic learners... Thanks
These videos are really helpful. Thanks for uploading and please keep up the good work.
+Pavin Disatapundhu Thanks! :D
Super helpful and exactly what I was looking for to understand CSP
thanks for the sharing. I look forward to learning more.
Fantastic tutorial, wish I could give a double thumbs-up!
Not relevant to topic, but which program do you use to record these awesome videos ?
I think it's called screen flow
nice video... gained lot of knowledge . surely going to share your video ...hmmmm one thing i want to ask is if a site has implemented csp and script src is set to self ,,, along with that 3rd party sites are mentioned for executing their scripts , also used 'unsafe inline ' in the script-src tag. so how in this case an attacker or hacker can bypass csp... by taking advantage of unsafe inline
npm, sanitize-html 04:05 lodash 04:52 CSP 05:25 send an http header to the browser to tell to enable this CSP 07:40 CSS
How do you use require in frontend javascript? I'd love to know!
it's that easy to install security?
Hi Kyle,
this is new to me, I did not know about the content security policy. I have a question though, won't this block certain browser extensions? I imagine that could annoy some users.
+Ante Šepić I'm not too knowledgeable about writing browser extensions but I believe they can define their own CSP: developer.chrome.com/extensions/contentSecurityPolicy So if the extension action is getting blocked by a CSP, that extension probably shouldn't be doing that action.
Also a user can choose to disable the CSP in their browser too if desired. It's really a protection mechanism for the users in case a website they are visiting has been hijacked. The website developer defines a CSP to inform the user about the things they can trust. So why you could easily disable CSP in your browser, you wouldn't necessarily want to.
+Kyle Robinson Young Thanks, that makes sense.
Very nice and well explained..
Why you set header to response rather than request? Also, instead of setting headers for all responses can we set seperately for each individual response?
excelent explanation !!
thank you so much
Dude you cannot sanitize on entering the DB and rendering, because something like would become <h1> in the DB, then <h1> on render
Thanks for the correction. You're right, you don't want to sanitize HTML twice.
Hi Kyle,
Instead of this if the text box is given validation for only alpha-numerals i.e; no special characters. Does it cause any attacks?
Short and helpful. Thanks.
Thanks for the breakdown
Wow! Nice tutorial
which JavaScript Framework you are currently using?
Could you give us a series for creating any application from scratch?
Thanks!
+Vikram Jadhav Thanks! I used a vanilla JS app thrown together for demonstrating CSP. Not a great solution for building large apps, IMO but is simple and straight forward for small apps. I have some JS app architecture videos planned for the future.
Something funny happening with audio at 3:48
Sorry about that! I'm not sure what happened there.
"Get your bearings" - 0:25
+Daniel Jeffery ˁ˚ᴥ˚ˀ
+Kyle Robinson Young I'm on to you.
Great content. You deserve more likes than the 427 that is registered here.
there seems to be some kind of audio-problem like from minute 3:48. I tried listenging on different devices, with and without headphones, but no difference. maybe you could make an updated version with better audio?
great explanation, thanks!
Pure gold... thanks for the content
Amazing tutorial. Very well explained as well. Thanks very much.
Thanks for the video, quick understanding
I didn't understand how do I fix this on a site that only uses html, css and js files (frontend only)...
Hi Kyle, great video, congratulations ! I get this error with Wordpress installation but not with a local installation. Do you know where I can find this setting ? Regards, ZP.
3:50 you mic has been hacked :) Cool stuf though.
Thanks for assuring me that I'm not the one who got hacked :P
Hi dude, i've only just heard about this CSP thing i'm trying to add it to my site but i'm having some troubles. I have some scripts from Copyright house, DMCA, and comodo ssl certificate, but as soon as i add the csp line it stops showing them. I understand that i cannot use inline js with this enabled but then how do i refernce the scripts if this is so, would a function() call not be blocked in the html file or browser... Please help, I have posted this on StackOverflow aswell.
Even after i've added the links and files to the trusted lists with spaces
Thanks for this guide.
Very cool explanation :D
Great Tutorial .. ! :-)
+Aaditya Purani Thanks!
sound is screwed up ...
Google Chrome extension error bring me here. :D
what's the end music's name? that's amaing!
Hey great work..
I would be glad if you could one preventing XSS using Express middleware 'Helmet'..
Thanks man
nice! Thanks!
Why do you keep saying excaping?
Thanks mate
How to use this in PHP?
They are HTTP headers so with PHP you could do: header("Content-Security-Policy: default-src 'self'");
Scp = secure contain protect
Ohh i think i commented the wrong video srry😅
Bears are the best. Kyle Robinson is also the best but most humans are lame (including me)
The audio is weird
+Ewers X Sorry about that! I'm not sure why the audio got fuzzy at that part.