Important wkhtmltopdf is deprecated and shouldn't be used anymore. Please consider switching to another tool We can install wkhtmltopdf...
Prevent the restart of daemons from Debian package upgrades. Proper written postinstall scripts for Debian packages utilize deb-systemd-invoke...
If you want someone to be able to access your rails console, but don't want them to be able...
Creating Nagios Config with puppet Let's have a look at the classic way of managing Nagios configuration with exported...
There is a gem puppet-ghostbuster which can help you find dead code in puppet projects. To use it, (as...
It's quite confusing how many external displays are usable with a MacBook that uses an M1 or M2 Chip...
When you are using the default MIME-Type configuration and your application allows uploading files, it can be a security...
It is possible to manipulate the forwarded ports of an established interactive SSH session. This is done by opening the...
When you're using a third party repository on your Ubuntu or Debian system and need to find out which...
When a nginx reverse proxy complains about upstreams sending too big headers, tweaking the buffers responsibly can help to prevent...
There are cases where we have multiple exported resources that are identical. There are nodes that provide the same services...
In Puppet, there are some differences between defined and function types when it comes to code encapsulation. In most cases...
Here's a one-liner to view base64 encoded secrets in kubernetes. Make sure you have jq installed.
Important If your railscomplete-deployment uses the net-ssh-gem please ensure you use version 5.2.0 or newer to ensure...
If you're about to handle X509 certificates and don't want to remember/google a handful of openssl commands you...
If you get e.g. this error message when you try to run puppet agent: Error: Failed to apply catalog: undefined...
If you have a PostgreSQL dump in the custom format you can can view the text format dump (plain SQL...
If one etcd node is no longer a member of the remaining etcd cluster or fails to connect you need...
This card is just about creating simple PostgreSQL dumps. This is no instruction for a backup strategy nor a guide...
swaks is a very nice tool to test SMTP. For the most linux distributions you can easily install it with...
Best results in other decks
makandra offers an 8 month paid trainee program 🇩🇪 for junior developers that are looking to start a professional career in...
When you load a with a nonce, that script can await import() additional sources from any hostname. The nonce is propagated automatically for the one purpose of importing more scripts. This is not related to strict-dynamic, which propagates nonces for any propose not limited to imports (e.g. inserting elements). Example We have a restrictive CSP that only allows nonces: Content-Security-Policy: default-src 'none'; script-src 'nonce-secret123' Our HTML loads script.js using that nonce: Our script.js imports other.js without a nonce: let other = await import('other.js') console.log("Look, script.js has imported %o", other) The import succeeds without a nonce, due to implicit nonce propagation. Why this is useful In modern build pipelines, code splitting (chunking) is implemented using dynamic imports. Nonce propagation allows us to use automatic chunking with restrictive, nonce-based CSPs without using strict-dynamic. E.g. esbuild automatically groups dynamically imported modules into chunks, and writes that chunk to disk. The compiled build has an await import('assets/chunk-NAXSMFJV.js'). There's no way to inject a nonce into that import(), but implicit nonce propagation still allows the request. Should I worry about this? It would require some truly strange code for user input to make it into an import() argument. I wouldn't lose sleep over this. Is this a browser bug? It is by design. Here are some sources: HTML Spec Section 8 (Web Application APIs) (search for "descendant script fetch options") Chromium test ensuring none propagation Firefox bug implementing nonce propagation CSP issue: Someone concerned about propagation being a vulnerability CSP issue: Proposal for import-src that went nowhere Are other CSP sources also propagated? No, only nonces. In particular host-based CSPs do not propagate trust. For example, you only allow scripts from our own host (no nonces): Content-Security-Policy: default-src 'none'; script-src 'self' Our HTML loads script.js from our own host: Our script.js imports other.js from a different host: let other = await import('https://other-host.com/other.js') This fails with a CSP violation: Executing inline script violates the following Content Security Policy directive 'script-src 'self''