http - Would setting script-src 'self' and frame-src 'unsafe-inline' conflict with each other? -


if have content-security-policy looks this:

default-src 'self' script-src 'self' frame-src 'unsafe-inline'

and have web page has frame inside it, frame points external source. frame runs script comes same origin else in frame.

i don't understand how these interact each other. script , frame settings conflict each other in way, or case of frame-src allowed run script?

you can set 'unsafe-inline' in default-src, script-src or style-src directives in csp. not valid in frame-src, or child-src frame-src deprecated.

when loading frame can't set csp restrictions on honour it's own csp set host if present.


Comments

Post a Comment

Popular posts from this blog

jOOQ update returning clause with Oracle -

according http://www.jooq.org/doc/3.8/manual/sql-building/sql-statements/update-statement/ jooq doesn't support returning clause in update statements databases except firebird , postgres. does know, still correct oracle jooq? according oracle's documentation, oracle db supports returning clase delete, insert, or update statements. incorrect manual you're right - manual wrong , should fixed: https://github.com/jooq/jooq/issues/5470 single row update returning jooq 3.8 added support single row update .. returning statements. internally, uses callablestatement , pl/sql block of form: begin update "my_table" set "my_table"."column" = 'xyz' "my_table"."id" = 1 returning "my_table"."id", "my_table"."column" ?, ?; ? := sql%rowcount; end; the relevant issue is: https://github.com/jooq/jooq/issues/5190 multi row update returning a...
Read more

c# - Json.Net Serialize String from URI -

currently i'm using web request body of webpage strictly json. var request = webrequest.create("urihere"); string text; var response = (httpwebresponse)request.getresponse(); using (var sr = new streamreader(response.getresponsestream())) { text = sr.readtoend(); } now i've got string of json in variable i'm trying figure out how parse data. i'm attempting use json.net below: user primaryuser = new models.user(); primaryuser.fullname = "test"; jsonserializer serializer = new jsonserializer(); serializer.converters.add(new javascriptdatetimeconverter()); serializer.nullvaluehandling = nullvaluehandling.ignore; using (streamwriter sw = new streamwriter("filenamehere")) using (jsonwriter writer = new jsontextwriter(sw)) { serializer.serialize(writer, primary...
Read more

java - Warning equals/hashCode on @Data annotation lombok with inheritance -

i have entity inherits other. on other hand, i'm using lombok project reduce boilerplate code, put @data annotation. annotation @data inheritance produces next warning: generating equals/hashcode implementation without call superclass, though class not extend java.lang.object. if intentional, add '@equalsandhashcode(callsuper=false)' type. is advisable add annotation @equalsandhashcode (callsuper = true) or @equalsandhashcode (callsuper = false) ? if not added, 1 callsuper=false or callsuper=true ? the default value false . 1 if don't specify , ignore warning. yes, recommended add @equalsandhashcode annotation on @data annotated classes extend else object. cannot tell if need true or false , depends on class hierarchy, , need examined on case-by-case basis. however, project or package, can configure in lombok.config call super methods if not direct subclass of object. lombok.equalsandhashcode.callsuper = call for configuration system ...
Read more