security Archives - CSS-Tricks

Third party CSS is not safe

# March 1, 2018 By Chris Coyier

...because third-party anything really isn't safe. Jake Archibald:

If you're worried about users tricking your site into loading third party resources, you can use CSP as a safety net, to limit where images, scripts and styles can be fetched from.

We've long discussed security considerations for using and managing third-party scripts, but the topic of security in third-party CSS was recently broached in response to a "trick" that employs keylogging via CSS.

Jake's post is a worthy read because it takes a high-level look at all third-party assets and the risks they pose.

security

Just Another HTTPS Nudge

# March 3, 2017 By Chris Coyier

I was strongly reminded about the scariness of non-secure websites the other day.

I'm using Xfinity as an internet service provider, and they give you a device that is both a cable modem and a router.

Here's a tiny bit of backstory. I use a VPN, and I discovered that in using their modem directly, the VPN wouldn't work. I'm not sure why. I didn't dig into it very far, because I have a modem of my own I'd prefer to use. So I plugged that in, which worked... but not particularly well. The connection was spotty and slow, even right in my own house.

(more…)

https security

ShopTalk 250: Web Security

# February 13, 2017 By Chris Coyier

For all y'all that want to understand the potential attacks, and potential defenses, of front-end web development.

It's pretty wild. The dangers are big, real, and many. But the tools we have to fight back are up to the job, we just need to know about them and use them.

security

The Line of Death

# January 16, 2017 By Robin Rendle

Eric Lawrence has written a pretty scary post about browser security and malicious websites that hope to trick us:

When building applications that display untrusted content, security designers have a major problem— if an attacker has full control of a block of pixels, he can make those pixels look like anything he wants, including the UI of the application itself. He can then induce the user to undertake an unsafe action, and a user will be none-the-wiser.

And the problem is even worse on mobile:

Virtually all mobile operating systems suffer from the same issue– due to UI space constraints, there are no trustworthy pixels, allowing any application to spoof another application or the operating system itself

security

Things to Know (and Potential Dangers) with Third-Party Scripts

# June 27, 2016 By Yaphi Berhanu

The web is full of third-party scripts. Sites use them for ads, analytics, retargeting, and more. But this isn't always the whole story. Scripts can track your behavior, your preferences, and other information.

Here, we're going to look at the potential risks of these third-party scripts.

(more…)

JavaScript security

Moving to HTTPS on WordPress

# March 6, 2015 By Chris Coyier

I just recently took CSS-Tricks "HTTPS everywhere". That is, every URL on this site enforces the HTTPS (SSL) protocol. Non-secure HTTP requests get redirected to HTTPS. Here's some notes on that journey.

(more…)

http/2 https performance security WordPress