With the new release, developers can also safely include external JavaScript in their pages using new support for hash source expressions.Īnd finally, support has been removed for the XSS Auditor, which, say the developers, has been superseded by modern cross-origin defenses like CSP and COEP. “This is essential to tie back a report to its root cause and to differentiate unactionable reports triggered by browser extensions, malware, et cetera,” says Weichselbaum.
#APPLE SAFARI WEB BACK BROWSER RISK CODE#
Meanwhile, there’s also support for ‘unsafe-hashes’, allowing inline event handlers to be hashed in the same way as CSP hashes allow hashing of inline scripts.Īnd support for ‘report-sample’ enables sending short samples of code that violates the CSP – in particular for inline scripts and inline event handlers. RECOMMENDED AirTag clone bypassed Apple’s tracking-protection features, claims researcher Now we can also protect our users on Safari and iOS where all browsers are using WebKit as a rendering engine.” “Google is protecting over 80% of its sensitive web traffic with a strict nonce-based CSP, and has mitigated a large number of XSS vulnerabilities this way.
“This is critical for developers who want to mitigate XSS, one of the most prominent web vulnerabilities, using a CSP based on nonces or hashes instead of an allowlist-based CSP, which our research has shown can be trivially bypassed in more than 90% of cases when it comes to XSS mitigation,” Google information security engineer Lukas Weichselbaum tells The Daily Swig. This, say the developers, gives enhanced security control over the loading of content, and helps web developers to mitigate the risks of cross-site scripting ( XSS) and other vulnerabilities.īlocked resource violation reporting for inline script, inline style, and eval execution has been updated to match web standards too.Īnd there's new support for ‘strict-dynamic’, making it easier to deploy a strict CSP based on CSP nonces or hashes. Apple praised for changes that ‘allow developers to build safe web applications’Īpple has added a raft of new features to WebKit, including improved support for Content Security Policy ( CSP) Level 3, with the latest release of Safari version 15.4.
0 kommentar(er)
