| Author |
Message |
rave199
Hangin' Around
Joined: Mar 22, 2014
Posts: 30
|
 Posted:
Fri Mar 28, 2014 6:36 am |
|
hi i'm trying to put some cross scripting blocks on my site but at the same time only allowing my flamplayer and my slideshow and my youtube video to show i got the code here Code: Header set X-Content-Security-Policy: "allow 'self'; options inline-script; img-src 'self' data:"
|
what I'm wondering is would they be considered object-src or script-src or a plug-in type and would it be coded like Code: Header set X-Content-Security-Policy: "allow 'self'; options inline-script; plug-in type [url]http://mystery-inc-4-life.com/flam_player_rep/flam-player.swf[/url] object-src [url]www.youtube.com/v/0_C2HJvtRDY?version=3&hl=en_US&[/url]:"
|
and how would i embed the slide show i made which is on the index page of my site since its all based on javascript without any link or url? |
| |
|
|
|
neralex
Site Admin
Joined: Aug 22, 2007
Posts: 1775
|
| Posted:
Fri Mar 28, 2014 12:21 pm |
|
Sorry i'm a little bit confused? Not clear what do you want but cross-site-scripting is not really the best solution. You want build a slideshow that shows embedded youtube videos wihtout a url? Or do you mean with 'url' a link to a js-file inside the script-tag? You want build inline javascript code? Can you post more details of your used code and in which file you are trying to add it? |
_________________
Only registered users can see links on this board! Get registered or login! |
|
|
|
|
rave199
|
| Posted:
Fri Mar 28, 2014 1:14 pm |
|
no what i mean is I'm trying to prevent cross site scripting by using the code below but i have a slideshow in my homepage and a youtube video on my homepage as well that i'm trying to use along with a flam music player that i'm using. i want to allow these applications only but deny other applications from using cross site scripting with the code below but the code i'm using to prevent the xss is not correct. which is why i need someone to show me where i'm going wrong with my code. i know plugin-types is required for the flam player but i don't know what is required to get the youtube video working or the slide show working properly. if i need object-src or media-src |
| |
|
|
|
|
neralex
|
| Posted:
Fri Mar 28, 2014 2:31 pm |
|
Before you are starting to use client-sided scripts like flash, javascript etc. you should know all what are doing with it will run on the client-side, that means on the side of the end-user on his local computer. You can't block in this way cross-site-scriptings because everyone can call the url of each file in his browser without to run your website. That is file-based.
The 2nd thing is, you are using with RN an xHTML doctype and to add a object tag you should use this way without to use the outdated embed attribute:
html Code:<object data="http://www.youtube.com/v/9sRNnwSDcbQ" style="height:312px; width:500px;" type="application/x-shockwave-flash" >
<param name="play" value="false" />
<param name="wmode" value="opaque" />
<param name="quality" value="high" />
<param name="movie" value="http://www.youtube.com/v/9sRNnwSDcbQ" />
</object>
|
Note: wmode opaque prevents to show javascript code like nukeNAV behind the flash object.
If you would block to call a file locally than you are blocking also the way for all client-sided scripts like flash or javascript. Your way would only works maybe within the website but everyone can call the file directly with the real path on your server. |
| |
|
|
|
|
rave199
|
| Posted:
Sat Mar 29, 2014 7:39 am |
|
well i got part of the code functioning Code: Header set X-Content-Security-Policy: "allow 'self'; options inline-script; plug-in types 'self':"
|
i'm just not sure about the rest as to how to code for the slideshow i know i might need script-src but i don't know if i need to insert a link or what or if i need to address it as self (which i tried already but hasn't worked) and the media player isn't playing any music. the player shows up but not playing so something else must be wrong with the code. all i want to do is prevent xss but allow my slideshow and allow my youtube video and allow my flam media player |
| |
|
|
|
|
neralex
|
| Posted:
Sat Mar 29, 2014 11:04 am |
|
In which file and on which place you are trying to add this code? Can you give a example of the full code-block and maybe a link of the affected website? |
| |
|
|
|
|
rave199
|
| Posted:
Sat Mar 29, 2014 11:20 am |
|
for some reason its not letting me post the codes in here can i pm you the info |
| |
|
|
|
|
rave199
|
| Posted:
Sat Mar 29, 2014 11:33 am |
|
its on my main page of Only registered users can see links on this board! Get registered or login! the first code block is on the youtube video Code:<object width="560" height="315"><param name="movie" value="//www.youtube.com/v/0_C2HJvtRDY?hl=en_US&version=3&rel=0"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="//www.youtube.com/v/0_C2HJvtRDY?hl=en_US&version=3&rel=0" type="application/x-shockwave-flash" width="560" height="315" allowscriptaccess="always" allowfullscreen="true"></embed></object>
|
the second part of the code is the flam player
Code:
<!-- ********************************************************************************************************** -->
<!-- * FLAM PLAYER BLOCK * -->
<!-- ********************************************************************************************************** -->
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0"
width="300"
height="315">
<param name=movie value="http://mystery-inc-4-life.com/flam_player_rep/flam-player.swf">
<param name=flashVars value="fp_root_url=http://mystery-inc-4-life.com/flam_player_rep/&ovr_color=0xBDA88A&ovr_langage=en&ovr_playlist=default_playlist&ovr_author=all&ovr_order=date_music&ovr_order_direction=DESC&ovr_autoplay=1&ovr_loop_playlist=1&ovr_loop_tracks=0&ovr_shuffle=1">
<param name=menu value=false>
<param name=quality value=best>
<param name=wmode value=transparent>
<param name=bgcolor value=#383838>
<embed src="http://mystery-inc-4-life.com/flam_player_rep/flam-player.swf"
flashVars="fp_root_url=http://mystery-inc-4-life.com/flam_player_rep/&ovr_color=0xBDA88A&ovr_langage=en&ovr_playlist=default_playlist&ovr_author=all&ovr_order=date_music&ovr_order_direction=DESC&ovr_autoplay=1&ovr_loop_playlist=1&ovr_loop_tracks=0&ovr_shuffle=1"
menu=false
quality=best
wmode=transparent
bgcolor=#383838
width="300"
height="315"
type="application/x-shockwave-flash"
pluginspage="http://www.macromedia.com/go/getflashplayer">
</embed>
</object>
<!-- ********************************************************************************************************** -->
<!-- * FLAM PLAYER BLOCK END * -->
<!-- ********************************************************************************************************** -->
|
the xss code I'm trying to use is this Code: Header set X-Content-Security-Policy: "allow 'self'; options inline-script; plug-in types 'self':"
|
but it needs more work there is stuff missing from this code to make it function properly. right now i left the xss prevention out so the site works and functions but i need the code in there to block unwanted attacks on my site. |
Last edited by rave199 on Sat Mar 29, 2014 11:36 am; edited 1 time in total |
|
|
|
|
rave199
|
| Posted:
Sat Mar 29, 2014 11:34 am |
|
and the slideshow is made of javascript but this forum isn't letting me post the javascript code on here |
| |
|
|
|
|
neralex
|
| Posted:
Sat Mar 29, 2014 12:16 pm |
|
Your youtube video should be like this in order of xHTML:
html Code:<object data="http://www.youtube.com/v/0_C2HJvtRDY?hl=en_US&version=3&rel=0" style="height:315px; width:560px;" type="application/x-shockwave-flash" >
<param name="play" value="false" />
<param name="wmode" value="opaque" />
<param name="quality" value="high" />
<param name="movie" value="http://www.youtube.com/v/0_C2HJvtRDY?hl=en_US&version=3&rel=0" />
</object>
|
Your flame player should be like this:
html Code:<!-- * FLAM PLAYER BLOCK * -->
<object style="height:315px; width:300px; background:#383838;">
<param name="movie" value="http://mystery-inc-4-life.com/flam_player_rep/flam-player.swf" />
<param name="flashVars" value="fp_root_url=http://mystery-inc-4-life.com/flam_player_rep/&ovr_color=0xBDA88A&ovr_langage=en&ovr_playlist=default_playlist&ovr_author=all&ovr_order=date_music&ovr_order_direction=DESC&ovr_autoplay=1&ovr_loop_playlist=1&ovr_loop_tracks=0&ovr_shuffle=1" />
<param name="menu" value="false" />
<param name="quality" value="high" />
<param name="wmode" value="opaque" />
<param name="bgcolor" value="#383838" />
</object>
<!-- * FLAM PLAYER BLOCK END * -->
|
And this one: "Header set X-Content-Security-Policy:" is a part of the apache2 configuration file.
http://paul24.hubpages.com/hub/What-is-Apache2-Basic-Introduction-To-It
http://feeding.cloud.geek.nz/posts/adding-x-content-security-policy/
It exists a php-based way but i'm not sure if is it really important to implement it because what i have readed about this one isn't really hard to manipulate it. |
| |
|
|
|
|
rave199
|
| Posted:
Sat Mar 29, 2014 3:28 pm |
|
actually i looked at those articles and more for the past two days and still not understanding it. so far this is what i have for my code Code: Header set X-Content-Security-Policy: "default-src 'self'; plug-in types 'self' media-src http://k007.kiwi6.com/hotlink/gu1ntqkkwp/03_BURN_IT_DOWN.mp3 http://k007.kiwi6.com/hotlink/zc1ry70kfu/01_Paralyzer.mp3 http://k007.kiwi6.com/hotlink/tfix16zxab/03_California_Gurls_feat._Snoop_Dogg_.mp3 http://k007.kiwi6.com/hotlink/yzzsgxmgd5/01_Gangnam_Style_.mp3 http://k007.kiwi6.com/hotlink/ok68kupbch/cutting_crew_-_i_just_died_in_you.mp3 http://k007.kiwi6.com/hotlink/cndgd4a348/don_t_stop_the_party_-_pitbull_ft_tjr.mp3 http://k007.kiwi6.com/hotlink/40uxr96a86/eddie_money_-_take_me_home_tonigh.mp3 http://k007.kiwi6.com/hotlink/i4l92rndr6/metallica_-_metallica_aka_black_a.mp3 http://k007.kiwi6.com/hotlink/boii7ilc3f/Bon_Jovi_-_Wanted_Dead_Or_Alive.mp3 http://k007.kiwi6.com/hotlink/b2figsvc44/Def_leppard_-_Def_leopard_-_Pour_.mp3 http://k007.kiwi6.com/hotlink/kznf11qv9m/Bon_Jovi_-_Crush_-_It_s_My_Life_.mp3 http://k007.kiwi6.com/hotlink/uea9txklch/Metalica_-_Metallica_-_Enter_sand.mp3:”
|
i know the code isn't right because its still not loading correctly |
| |
|
|
|
|
rave199
|
| Posted:
Sat Mar 29, 2014 4:16 pm |
|
i think i have it figured out i could be wrong i don't know Code: Header set Content-Security-Policy: "allow 'self'; plug-in types 'self' media-src http://k007.kiwi6.com/hotlink/gu1ntqkkwp/03_BURN_IT_DOWN.mp3 http://k007.kiwi6.com/hotlink/zc1ry70kfu/01_Paralyzer.mp3 http://k007.kiwi6.com/hotlink/tfix16zxab/03_California_Gurls_feat._Snoop_Dogg_.mp3 http://k007.kiwi6.com/hotlink/yzzsgxmgd5/01_Gangnam_Style_.mp3 http://k007.kiwi6.com/hotlink/ok68kupbch/cutting_crew_-_i_just_died_in_you.mp3 http://k007.kiwi6.com/hotlink/cndgd4a348/don_t_stop_the_party_-_pitbull_ft_tjr.mp3 http://k007.kiwi6.com/hotlink/40uxr96a86/eddie_money_-_take_me_home_tonigh.mp3 http://k007.kiwi6.com/hotlink/i4l92rndr6/metallica_-_metallica_aka_black_a.mp3 http://k007.kiwi6.com/hotlink/boii7ilc3f/Bon_Jovi_-_Wanted_Dead_Or_Alive.mp3 http://k007.kiwi6.com/hotlink/b2figsvc44/Def_leppard_-_Def_leopard_-_Pour_.mp3 http://k007.kiwi6.com/hotlink/kznf11qv9m/Bon_Jovi_-_Crush_-_It_s_My_Life_.mp3 http://k007.kiwi6.com/hotlink/uea9txklch/Metalica_-_Metallica_-_Enter_sand.mp3 object-src www.youtube.com/v/0_C2HJvtRDY:"
|
can someone please check the code to see if its right or wrong. thanks |
| |
|
|
|
|
neralex
|
| Posted:
Sat Mar 29, 2014 11:35 pm |
|
good luck, mate!  |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
