Skip to content

Commit

Permalink
remove old pages
Browse files Browse the repository at this point in the history
  • Loading branch information
xanhacks committed Mar 7, 2024
1 parent 54933e6 commit 3fe0dd2
Show file tree
Hide file tree
Showing 8 changed files with 69 additions and 119 deletions.
71 changes: 0 additions & 71 deletions .github/workflows/hugo.yml.bak

This file was deleted.

39 changes: 0 additions & 39 deletions .github/workflows/pages.yml

This file was deleted.

4 changes: 2 additions & 2 deletions content/docs/framework/drupal.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
title: "Drupal"
description: "Cheatsheet on Drupal library"
lead: "Cheatsheet on Drupal library"
description: "Cheatsheet on Drupal CMS"
lead: "Cheatsheet on Drupal CMS"
date: 2023-01-01T00:00:00+00:00
lastmod: 2023-01-01T00:00:00+00:00
draft: false
Expand Down
19 changes: 19 additions & 0 deletions content/docs/framework/wordpress.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
---
title: "Wordpress"
description: "Cheatsheet on Wordpress CMS"
lead: "Cheatsheet on Drupal CMS"
date: 2023-01-01T00:00:00+00:00
lastmod: 2023-01-01T00:00:00+00:00
draft: false
images: []
menu:
docs:
parent: "framework"
weight: 620
toc: true
---

## Wordpress

### Discovery

43 changes: 42 additions & 1 deletion content/docs/http/cross-origin-read-blocking.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,4 +33,45 @@ CORB works by examining the MIME type of cross-origin responses and blocking tho
- **MIME Type Evaluation**: CORB checks the MIME type of a cross-origin response against a list of "protected" MIME types (such as HTML, XML (excluding SVG), and JSON). If the MIME type of the response is on this list, CORB may block the response from being consumed by the requesting site.
- **Blocking Strategy**: If CORB decides to block a response, it does so by stripping the response body, effectively preventing the requesting JavaScript from reading the content. However, the request itself is not blocked, the server still receives the request and sends a response. The difference is that the JavaScript on the requesting site cannot access the response's body.
- **Context of the Request**: CORB's decision to block a response also considers the context in which the request was made. For example, a script element trying to load JSON data might be blocked, as scripts are not supposed to load such data types directly.
- **Interaction with Other Security Features**: Although CORB operates independently, its effectiveness is complemented by other security measures such as the `X-Content-Type-Options: nosniff` header, which prevents the browser from sniffing the MIME type of a response. This ensures that incorrectly labeled resources are not executed in an unintended context.
- **Interaction with Other Security Features**: Although CORB operates independently, its effectiveness is complemented by other security measures such as the `X-Content-Type-Options: nosniff` header, which prevents the browser from sniffing the MIME type of a response. This ensures that incorrectly labeled resources are not executed in an unintended context.

## Blocking

The response will be stripped if:

1. `X-Content-Type-Options` is set to `nosniff` and the `Content-Type` is either `HTML`, `XML` (except `image/svg+xml`), `JSON` or `text/plain`.
2. Reponse status is `206` and the `Content-Type` is either `HTML`, `XML` (except `image/svg+xml`) or `JSON`.
3. The sniffed the response body is either `HTML`, `XML` (except `image/svg+xml`) or `JSON`.

## Examples

For the following examples, the client-site code will stay the same:

```html
<script src="http://localhost:5555"></script>
```

### nosniff & text/plain

In the following case, the response will be stripped by CORB because we will be in the first case as `X-Content-Type-Options` is set to `nosniff` and the `Content-Type` is set to `text/plain`.

```python
from flask import Flask

app = Flask(__name__)

@app.route('/')
def home():
return "alert(1337);"

@app.after_request
def add_response_headers(response):
response.headers['X-Content-Type-Options'] = 'nosniff'
response.headers['Content-Type'] = 'text/plain; charset=utf-8'
return response

if __name__ == '__main__':
app.run(port=5555)
```

### 206 & application/json
6 changes: 2 additions & 4 deletions content/docs/http/x-content-type-options.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,6 @@ The [X-Content-Type-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/H

## Nosniff

```
X-Content-Type-Options: nosniff
```
`X-Content-Type-Options: nosniff` only apply request-blocking due to nosniff for request destinations of "script" and "style". However, it also enables Cross-Origin Read Blocking (CORB) protection for HTML, TXT, JSON and XML files (excluding SVG image/svg+xml).

`X-Content-Type-Options` only apply request-blocking due to nosniff for request destinations of "script" and "style". However, it also enables Cross-Origin Read Blocking (CORB) protection for HTML, TXT, JSON and XML files (excluding SVG image/svg+xml).
You can find more details on the [CORB](/docs/http/cross-origin-read-blocking-corb/) page.
2 changes: 1 addition & 1 deletion layouts/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ <h1>{{ .Title }}</h1>
<div class="container">
<div class="row justify-content-center text-center">
<div class="col-lg-5">
<h2 class="h4">Service Worker3</h2>
<h2 class="h4">Service Worker</h2>
<p>A Service Worker runs in the background of a web application, it provides various features such as caching, push notifications, and offline functionality.</p>
</div>
<div class="col-lg-5">
Expand Down
4 changes: 3 additions & 1 deletion todo.txt
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,6 @@
- Others - Open Redirect
- Add a parameters wordlist
- Browser BCheck rules
- Framework - Spring Boot
- Framework - Spring Boot

- Fix images in other/debug

0 comments on commit 3fe0dd2

Please sign in to comment.