shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.

Administered by:

Server stats:

290
active users

#csp

0 posts0 participants0 posts today
Replied in thread

@GossiTheDog the sheer fact that #MSPs & #CSPs can access clients' setups without proper #authorization [including #KYC / #KYB, #AuthCode|s and proper authorization via contract] is already sickening.

Such fundamental #ITsec fuckups are reasons alone not to use #Azure or any #Microsoft products & services at all...

  • I mean, it doesn't require #Mitnick-level skills to pull this off, since it doesn't necessitate #Lapsus-Style #SIMswap or other means to gain access...
CyberplaceKevin Beaumont (@GossiTheDog@cyberplace.social)Attached: 3 images This is the partner.microsoft.com portal, it allows CSPs - Cloud Solution Providers - to gain access to their customer's environments. CVE-2024-49035 was around improper privilege management, i.e. being able to access things you shouldn't. It being in CISA KEV says it was being exploited in the wild. That portal allows a huge footprint of access by design.

tumblr.com/fenmere/76183583198

YO ALL ARTISTS WHO USE KRITA, CSP AND PROCREATE: PLEASE READ THIS AND CHECK YOUR COLOR SETTINGS.

there's a chance that your program had been using incorrect color settings and thus all of your works and ref sheets might have been desaturated or looking wrong

TumblrThe FenworksJust to make a point, every time I finished a panel of this I would export it as a PNG on the perceptual setting and use it as a color reference for the next panel IT'S BAD PLEASE CHECK YOUR COLOR…

I'm still doing some debugging of some #CSP #Content #Security #policy #cookie setting on my web service.

I can see the right `Set-Cookie` content being sent back in the `Response Headers` but I cannot for the life of me figure out why #Firefox is rejecting it. Meanwhile #Edge sets the same cookie fine. And in the past, when I use Edge's dev tools to inspect the page and it rejects the cookie, I get a little ⚠️ symbol that tells me *why*.

1/

Can anyone recommend a utility or trick to help diagnose #CSP (Content Security Policy) and #Javascript issues?

Have a web service. Worked great until I put it behind #NGINX, using its default CSP and upstream's js now gets clobbered due to `unsafe-eval`. But I don't want to allow `unsafe-eval`, I want to find out what in my javascript is being flagged. Anyone know a tool that *analyzes javascript for evals and equivalents?* My serch-fu isn't working.

Or do I have to get into #nonces etc.?

Been busy adding more docs & examples/snippets for the revamped thi.ng/csp package, the readme and core operators. Still more to come, but the most important parts & operations are covered now. Please gimme a shout if anything is unclear... I'm aware #CommunicatingSequentialProcesses is yet another fringe technique for many JS/TS devs, but that shouldn't make it any less interesting or elegant, especially these days where async features are fully supported everywhere and there's so much more than ye basic async/await patterns...

(The attached ping-pong example is taken from the updated readme, but barely scratches the surface of what's possible...)