It happens from time to time that a job in a GitLab pipeline fails. Sometimes, however, the error message is...
Intel CPUs receive updates, including security relevant upgrades, through 2 channels: Firmware/UEFI BIOS updates can also update the microcode in...
journalctl _CMDLINE=dockerd podman journalctl SYSLOG_IDENTIFIER=podman identifying potential filter fields journalctl -o verbose journalctl -o json | jq
When a nginx reverse proxy complains about upstreams sending too big headers, tweaking the buffers responsibly can help to prevent...
If you have for e.g. a Java application which outputs multiline stack traces inside a container running in kubernetes you...
We had a strange behaviour on one of our mariadb-servers: Everyday at around midnight we saw that the root...
You might use screen or tmux to run a temporary command on a server which continues to run after the...
What is netfilter's Connection Tracking system? The connection tracking system often referenced as nf_conntrack is part of the...
If you get e.g. this error message when you try to run puppet agent: Error: Failed to apply catalog: undefined...
If freshclam updates are failing even though the update servers are available and you find error messages like the following...
If one etcd node is no longer a member of the remaining etcd cluster or fails to connect you need...
Hint This applies only to distributions based on Debian. Requirement You need to setup the PostgreSQL Apt Repository first.
on the bash (issued as postgres user) Start/Stop/Restart PostgreSQL pg_ctl -D $configdir start|stop|restart Start/Stop/Restart the corresponding PostgreSQL...
This is a way to run multiple redis server on one ubuntu server. These steps you have to do only...
Best results in other decks
When you load a with a nonce, that script can await import() additional sources from any hostname. The nonce is propagated automatically for the one purpose of importing more scripts. This is not related to strict-dynamic, which propagates nonces for any propose not limited to imports (e.g. inserting elements). Example We have a restrictive CSP that only allows nonces: Content-Security-Policy: default-src 'none'; script-src 'nonce-secret123' Our HTML loads script.js using that nonce: Our script.js imports other.js without a nonce: let other = await import('other.js') console.log("Look, script.js has imported %o", other) The import succeeds without a nonce, due to implicit nonce propagation. Why this is useful In modern build pipelines, code splitting (chunking) is implemented using dynamic imports. Nonce propagation allows us to use automatic chunking with restrictive, nonce-based CSPs without using strict-dynamic. E.g. esbuild automatically groups dynamically imported modules into chunks, and writes that chunk to disk. The compiled build has an await import('assets/chunk-NAXSMFJV.js'). There's no way to inject a nonce into that import(), but implicit nonce propagation still allows the request. Should I worry about this? It would require some truly strange code for user input to make it into an import() argument. I wouldn't lose sleep over this. Is this a browser bug? It is by design. Here are some sources: HTML Spec Section 8 (Web Application APIs) (search for "descendant script fetch options") Chromium test ensuring none propagation Firefox bug implementing nonce propagation CSP issue: Someone concerned about propagation being a vulnerability CSP issue: Proposal for import-src that went nowhere Are other CSP sources also propagated? No, only nonces. In particular host-based CSPs do not propagate trust. For example, you only allow scripts from our own host (no nonces): Content-Security-Policy: default-src 'none'; script-src 'self' Our HTML loads script.js from our own host: Our script.js imports other.js from a different host: let other = await import('https://other-host.com/other.js') This fails with a CSP violation: Executing inline script violates the following Content Security Policy directive 'script-src 'self''
You may remember to use the || operator with caution to set defaults. We'll see that && and other conditionals come...