Frederik Braun - What is mixed content?| Frederik Braun
Today, I found someone tweeting about a neat security bug in Chrome, that bypasses how Chrome disallows extensions from injecting JavaScript into special domains like chrome.google.com. The intention of this block is that browsers give special permissions to some internal pages that allow troubleshooting, resetting the browser, installing …| Frederik Braun
In order to fully discuss security issues, their common root causes and useful prevention or mitigation techniques, you will need some common ground on the security model of the web. This, in turn, relies on various terms and techniques that will be presented in the next sections. Feel free to …| Frederik Braun
This article first appeared on the HTMLHell Advent Calendar 2022. Motivation When thinking of HTML-related security bugs, people often think of script injection attacks, which is also known as Cross-Site Scripting (XSS). If an attacker is able to submit, modify or store content on your web page, they might include …| Frederik Braun
This document sat in my archives. I originally created this so I have notes for my participation in the Working Draft podcast - a German podcast for web developers. That's why this article is in German as well. The podcast episode 452 was published in 2020, but I never published this …| Frederik Braun
Update: In July 2019, Chrome developers announced that they are going to remove XSSAuditor. You can follow their bug tracker here. Recently, Google Chrome changed the default mode for their Cross-Site Scripting filter XSSAuditor from block to filter. This means that instead of blocking the page load completely, XSSAuditor will …| Frederik Braun
This article has been superseded by a more-recent write-up of my presentation from OWASP AppSec EU 2015. Alternatively, you can download the slides or watch the video on YouTube Some time ago, I complained about the prevalence of CDNs for JavaScript hosting and the trust model that comes with including …| Frederik Braun
This blog post about X-Frame-Options was originally published on the Mozilla Security Blog A few weeks ago, Mario Heiderich and I published a white paper about the X-Frame-Options security header. In this blog post, I want to summarize the key arguments for settings this security header in your web application …| Frederik Braun