Michael Bissell
  • Twitter
  • LinkedIn
  • Contact me

Scary plugins

2023-01-23

One of my online colleagues, Gary Longsine, on LinkedIn has been on a bit of a mission to get people to fix their allowed headers on their webservices.  These are headers that tell your browser (and to a lesser extent) your web server what your browser is allowed to access and what it's not allowed to access.

When he first showed me the site that runs your score, I was… skeptical.  Setting aside the security headers that actually tell my server to reject things, things like

Header always set Content-Security-Policy "script-src self"

This tells the browser not to run a script that isn't on the same server… so if I try to run a script from google.com from michaelbissell.com the browser should stop it.

The idea that I put headers in to tell the browser what not to do doesn't seem high on the list of things I need to worry about with hackers. After all, hackers aren't exactly known for following the rules, and if I say, "now be sure you don't hack all my data" I should expect my data to be stolen, deleted and vandalized within seconds.

Except… this kind of security isn't to keep the brute force, black-hat hacker from being able to do things on their own… these policies are designed to help keep the consumer from doing something irresponsibly, usually because they don't know they're being irresponsible.

Modern website rely a lot on the web browser, and the web browser is almost an operating system of its own at this point.  We can get lots of great helper plugins that give us a richer experience on the web.  

For example, when I was putting together my podcast, I wanted to see what my podcast would look like in a basic RSS reader -- if you don't know what an RSS reader is, don't worry, the point is when I went to install one as a plug-in I got a very casual, and to my eye, very chilling warning:

Read that little warning again…

It can: Read and change all your data on all websites.

Read and change my data on all websites… all websites… you know… like my banking site.  Or if I'm a private network that requires VPN to get to…

Data. On. All. Websites.

Oh it can display notifications too. That warning is given the same level of caution as the fact that this script can now change data on any site I'm on, and, therefore, inject all sorts of scripts, while also reading the otherwise private data in that window… things like access tokens and probably passwords if your site makes you type them in.

And this is why the seemingly "honor system" headers are so important. The browser, (Chrome, Firefox, Safari… probably Edge) WILL honor those headers, regardless of what a plugin might have done to the page.  

So if I include a header that only allows JavaScript to be executed from specific hosts, and the plugin tries to run a script that rummages through my session data and local storage and sends it all to some 3rd party web host, it won't work.

Again, it's not that someone is hacking my server directly, it's that they, like vampires, were invited into the browser.  What the Content Security Policies do is keep those people who don't even know they've been hacked from hacking my server.

Resume

  • My Resume
  • NWEA Experience
  • Apigee Experience
  • Cloudentity Experience
  • Conquent Experience
  • Technical Skills
  • Presentation and Voice
  • API Standards
  • Podcasts

Blog

    The Tech Industry isn't really the Tech Industry anymore
    Innovation, Table Stakes and Dev Ops
    The End of Twitter (as we know it)
    The Problem with Modernization Initiatives
    Scary plugins
    The Art of Asking a Question
    The Algorithm is Training Me
    Quietly Hijacking
    Are OpenAPI and Swagger the same thing?
    Extending the OpenAPI Contract for Security
    OpenAPI contract to HTML
    This blog and this website are built on an API
    Build an API from a CSV file in 4 minutes
    Terms of Service in lieu of Legal Governance
    Slow Response Times
    Uptime and Nines
    What is an SLA?
    Services vs APIs
    Ecosystem of Breaches -- People and Social Engineering
    Ecosystem of Breaches -- Devices and Hardware
    Ecosystem of Breaches -- User Interfaces
    Ecosystem of Breaches -- Networking
    The Ecosystem of Breaches -- Services
    Ecosystem of Breaches -- Databases
    The Ecosystem of Breaches -- Introduction
    Broken Vows -- doing better with keeping secrets
    The Organic Algorithm
    Work From Home Data War
    Finding Your Voice -- How Podcasts Sound different
    Normal is a Myth
    Managing Expectations
    Why Are Podcasts Different?
    Why DIY is not Stay At Home
    Let's talk really basic websites
    Working Remotely and Social Distancing Challenges
    Fashionable Facts
    Siri Being Disturbingly Helpful
    I Want to be Your Distraction
    Building your SLA (Security Level Agreement)
    Why We Don't Read
    Stepping Back (but not away)
    Fake Friends
    Tribal Amnesia
    The New Facebook is Text Messaging
    A bit about Starbucks-ese
    Historical Figures in Modern Clothes
    What is SSO?
    Talking Around the Answer
    My Next Adventure
    On Prem, IaaS, Paas and SaaS
    Why I dropped out of Social Media
    Being Watched by TV
    Why I Can’t Support Bernie Sanders
    Waking up from the Dream of the 90s
    PIN is a Four Letter Word
    Mundane Travels in an Amazing World by Michael Bissell
    Keep Portland, Portland
    The Odd Case of Interconnected Clocks
    Meaningful Work that I Get Paid For
    Time to Disrupt Disruption
    How the TARDIS Travels in Time And Relative Dimensions In Space
    Logging in with Facebook (and Google and Twitter and...)
    Logging into Myspace in 2014
    Heretics of Science
    That's the time I feel like making text to you
    We're Just Meta Uber Super Tool Users
    Birthing and Idea
    Fun With Chinese Hackers and Password Strength
    How to Turn Off Google Location Tracking
    Your Phone is Spying on Everyone
    My New Not a Laptop
    Advertising vs. Reality. Lays Kitchen
    Brilliant Ideas in Dreams -- but it's still a dream
    World Traveling Intros
    Referencing your whacky theories
    Is Being a Geek the Antithesis of Success?
    3-Legged OAuth -- A Love Story
    The Cost of Gentrification
    Medieval Hoarding to the Hive Mind
    Stealing money with bad web design
    Newspaper Hospice
    The Conversation of Learning
    Watching Myself
    Driving through a fly-over
    Death of the Save Button
    Deja-Google and the world traveller
    The Loss of Everything or How I Lost my Phone
    I'll Never be a Space Tourist
    Global Training Director (and MacGyver)
    Amateurs vs Idiots
    Why I {heart} APIs
    Buying Respect on Layaway
    Latte Swilling Robin Hoods, sort of
    Amateur Coffee Drinkers
    The Houses are Trees
    Why I Drink Starbucks in Europe
    Polite Drinking
    The Sounds of Spring
    The Wizard's Gift
    Another Country: The United Federation of Airports
    I'm a Business Tourist
    Traveling through Time And Relative Dimensions In Space
    Resistance is futile... But it doesn't mean people won't resist...
    We're Cybernetic Creatures
    The Thing about Vegas
    Middle Earth: Post-Apocalyptic Hell Hole
    Surrounded by Technology
    The Metaphysics of Nuclear Physics
    How Can You Be in Two Places at Once When You're Not Anywhere at All
    Media is Plural (and the blame game isn't about the news)
    Treasures, Junk and Corporate Serfdom
    Reality is Mind Blowing Enough
    Number 1 Star Wars Fan
    False Engagement (or 'My bank isn't really my bank...')
    The Emperor's New QR Code
    On Kings and Colonies -- Running Government as a Business
    Just Another Day in Portland
    Over Explaining Things
    In a World Where I Have to Pay for Healthcare
    Google Has Replaced Context
    The Internet's Memory is Fuzzy
    STOP HELPING ME (or My Computer is Killing Me with Helpfulness)
    My Cat Thinks He's a Great Manager
    Neglecting my Navel
    Masterful Service
    Warning: Do Not Operate Heavy Equipment while Thinking
    'None of Your Business' by Anonymous
    Hoarding Information
    Attack of the Season
    Subjective Facts
    Portland Rain Isn't for Everyone
    Visiting My Mother in the Hospital
    My Dirty Little Secret is I'm not a Vacuum Cleaner
    It's not Facebook, You May Already be an Idiot
    Portland Composts and I Simmer
    Japanese Manners Poster -- Please do it in America
    Complicated Stuff that I'm Forced to Use
    Get the Money out of Politics
    Everyone is Special
    Redberry vs Blackberry
    Tea and Occupation
    Advertising that smells like the man you want your advertising to smell like
    Lack of Privacy as a Celebration of Life
    You say ADD like a bad thing
    My Private Life is Public, my Public Life is Private
    I have an unnatural relationship with my phone
    Mr. Monopoly sells gas
    Do no evil... unless you can't help it
    Cool off with a Pepsi... Air conditioner?
    My Brain is Full
    Pandora becomes more like Radio
    Tony Chachere vs Big Easy Foods
    Upgraded to Death
    Now THIS is a collectable figure -- Darth Vader 'Star Knight'
    Netflix Is Watching
    Session vs. Red Stripe... Mmmm... Beer...
    Netflix and @Qwikster
    Pepsi Steals Christmas
    Shanzhai -- The Ancient Chinese Art of Brand Identity Theft
    Dealing with Google+ Spam
    WhiteCube.com vs WhiteCu.be
    Old Rasputin -- Beer and Nostalgia
    Fake Republican Twitter Accounts
    Pacman Noodles
    Random Change
    Oil of Okay
    Sun Bucks Coffee
    Ball Star Classic
    KFC or KF China?
    Johns Daphne vs. Jack Daniels
    Interjecting Infidelity
    The Case of the Identical Tablet: Apple vs. Samsung
    They Know Where You Are: Privacy and Google Maps
    Lazy logo design and a naked blue guy
    The Season for Ignoring the Season
    Apple Story
    No one can resist my Schweddy Balls
    Give me appIebees over Applebees any day
    The Mystery of the Two Applebees
    What's on the Other Side of that Link?
    Losing millions... insiders cashing out... Surprise! GroupOn delays IPO
    Facebook Party vs. Jane Eyre Introductions
    Full Metal Internet
    Branding Irons
    Your iPhone is like Your Bifocals
    Death of a Salesman's Store
    Living in dots and vibrations
    Virtual Disasters -- Watching the Hurricane on the Internet Traffic Report
    Facebook Hates Your Link and other stories from arts meets geeks
    Apple's Innovation of One Control Freak
    Hashtags on TV
    GroupOn -- Good for Meth Dealers, bad for Fishing Guides
    This Video Is Not Available on Mobile
    'Join The Conversation' Yeah... Corporations are sexy
    'Did you mean?' -- Google's chiding nanny of search results
    The Next Fad: Adword Optimization
    The double standard of Mobile Web vs Mobile Apps
    Branded Technology
    Sharingspree.com -- Stealing more than GroupOn's Idea
    The Internet Isn't Entertaining Enough
    The Bullfighters EULA
    Global Chit-Chat and the Norwegian Isolationist
    It's not your bank... It's Apple's and Amazon's
    Violated by Madison Avenue
    Goodbye Murphy
    Frustrated social-media serotonin hit
    'Narcissism' by Michael R. Bissell -- Reading myself...
    Facebook Reinvents the Meta Tag. Evolution? Or just weird mutant?
    Dude, you were looking at web stats and laughing
    If real life was like the world we see in commercials
    'We need to...' Internet Marketing Myths
    Facebook's deal with the Devil
    My cool new phone is a little too cool.
    You are never alone
    Aw, Snap!
    Promotion vs. Distribution... You'd think they'd know that one...
    Miracles and Meetings
    Facebook Causes Depression
    The I-Don't-Understand-It-So-It-Must-Be-Valuable Valuation
    Countries less valuable than Groupon
    Politics and instantaneous communication
    Live by your wits, until you get the flu
    Who owns your friends?
    Agonies of Programming for Facebook
    Content for Social Media
    Walking to Surreality
    Fact Free Zone
    Facebook did not topple Egypt
    The Value of Ideas
    Frustrating Miracles
    Social Media Slot Machine
    Anonymous vs Me
    The Numbers Game
    The Internet and our Sedentary Society -- maybe some hope?
    News from the Twitter Follow Campaign Trail
    The Death of... Well, everything...
    The art of Indiscriminate Twitter Following
    The Cloudy Meaning of The Cloud
    My Emotional Repsonse to iAnything
    Alien Technology and Government Conspiracies
    Portlandia... Yeah... it's probably true
    A Short Rant about Los Angeles
    Time for a New Reality
    The Great Popularity Contest of the 21st Century
    The Death of Email
    Protecting Free Speech... Anonymously (and geekily)
    Farewell to Doug -- the Dali Lama has moved on
    Amazon Shouldn't Have Shut Down WikiLeaks
    Google isn't the bad guy... this time
    Thankless Jobs
    Making Money -- Or Money Making You
    Kids In Charge
    It's Okay that Roger Sterling's Book Sucks
    Sex, Seduction and Manipulation
    The Superpowers of the Hive Mind
    Big Brother is Finally Here
    Time for New Ideas
    Comcast, Netflix and the Mystery of the Modem
    Custom Tailored Crap
    The Great Technical Disconnect
    New for the Sake of New
    A Retail Store Built Like the Web
    A Quick Rant -- The New Twitter and Real People
    Disposable Personas
    When did Google Start Policing the Internet?
    Getting back to HTML basics, thanks to Apple
    Inspecting my Navel Base
    Quantum Entanglement and the Death of Radio
    A shoebox vs. an online backup
    Cave Man Distribution Networks
    Dressing for Work
    The team that hates itself -- Visionaries, Managers and Technicians
    iBooks -- Creative Epicenter or Gatekeeper?
    The Failure of Success
    The Economy is Going to Get Worse, but that's okay
    Time lost on Twitter
    Common Sense of the New Economy
    Twitter's back alleys and dark places
    Social Media is NOT Advertising
    On censorship
    Microsoft Courier
    Form (designers) versus Function (geeks)
    Bad Restroom Health Sign
    PDXBOOM -- The power of social media and the portland pipe bomb
    China and Apple -- Different organizations, same management
    The volume of screens
    Logorama
    Sleeping through miracles
    Who needs an URL anyhow?
    Transmedia
    That magical little tablet
    The complications of making coffee
    How your website can be in two places at once
    Masterpieces created by sheer volume
    Suing over lack of originality
    A Primer on Internet Fame -- dancing babies, hamsters, numa numa, and more...
    The Lawsuit Lottery
    Checking my messages
    Another Random Night of Arts in Portland
    Rules are made to be broken -- in a reasoned, systematic way
    So many accounts, so few passwords
    The Dali Lama of Hillsdale
    Who really uses Twitter? 60% of Twitter's traffic isn't on Twitter
    Riding the commute route on Saturday
    Not everyone is like you
    The Web is a Jerry Rigged Kludge
    Portland Bike Plan: Too Expensive or Playing with numbers?
    Twitter: Asleep at the Mouse Wheel
    Where regulation is good: Google Voice and Vonage
    How Facebook is (unintentionally) forcing programmers to piss off users
    The Twit Cleaner
    Perfect Secretary's pitch for @Adbroad (and the Youtube API)
    The Emotions of Text
    The Shorty Awards Scandal -- Manual Spam is still Spam
    Google Analytics, the cloud and missing numbers #fail
    Helen Klein Ross & Michael Bissell Interview at Adweek's Social Media Strategies Conference
    The Internet is the New 60's
    Getting back in the saddle (bicycle saddle, that is)
    Ranting about Portland Drivers
    Cougars from New Zealand (and I don't mean big cats)
    Adding facts together, or why you can't charge your cell phone from wifi
    Social Media and the Destruction of the World
    Rabid Fans vs Passive Viewers -- The Coco vs Leno saga
    How to tell someone to retweet (without using up your 140 characters)
    You can't buy social media
    A book unopened is but a block of paper
    Building the LOST: The Final Season Sweepstakes
    Holiday SPAM (or the lack thereof)
    Archiving Twitter
    Too Many Toolbars
    Random Censorship with Google Adwords
    Accessibility and Shopping Online
    'Upgrading' my flight
    Twisted path to customer service
    Flash: Shiny objects blinding your audience
    Twollow and other gold rush scripts
    Arthur Miller's All My Sons
    GPS in a Laptop computer
    Thinking outside the box... There was a box?
    Twitter was designed for Text Messaging
    It's not the corporations, damnit
    Entrepreneur or Dreamer?
    Adweek Social Media Twitter for Brands Presentation
    Socializing is more than Social Media
    Generational Marketing is a Myth (or Who's your Daddy?)
    Social Media is Just the Way We Use the Internet
    Twitter Followers Don't Matter (ask the porn sites)
    The Internet is Gooder than Books
    Sometimes you don't want your campaign to go viral
    Best Twitter Branding Campaign
    A Good Explosive Recipe and other found knowledge online
    Like flies to crap, Spammy Twitter Followers don't really go away
    Video Projectors for your phone
    iPhone SMS Security Hole
    How Flipmytweet works
    Cell Phones as Microscopes
    Markie's Birthday
    Digg is not the Hijacker -- You Are
    Steve Ballmer -- the walking dead?
    Twitter as an open mic poetry reading
    Automatic Social [un]Awareness
    New York, New York
    First splash for United Against Malaria
    New Media/Old Media and the CLIO Awards
    Interview at SXSW: Mad Men Twitter And Tracking
    Saturday Yard Work
    We've got an App for that -- it's called the Web
    Made it to SXSW in Austin
    What is Conquent?
    The trouble with Wordpress and other templates
    Wayward Words with Baggage
    Speaking at SXSW March 17th
    The fleeting Memory of the Internet
    It's okay to say 'I don't know'
    Good Morning America, now Go Fight Traffic
    More surreality in Portland
    Nike Takes Over Conquent
    Facebook owns this title
    Excuses, excuses
    A little on Social Media
    Feeding on Content
    Attack of the Bots
    Irish Music in Oregon City
    Landing on an Aircraft Carrier
    Got Curry? And some bizarre art?
    Web 1.0
    Random Music and Random Life in Portland
    To the dump, to the dump, to the dump dump dump
    Flight Simulator
    Cold night, hot fire, happy cat
    Net Neutrality
    Walking to work in the snow
    A window into Moreland of the Past
    Getting clever with data feeds
    Big and Little Beirut
    The Other Credit Crisis
    The Broadband Inauguration
    T-Mobile owns Magenta and Other Patent Stories
    The Risk-takers, Doers and Makers of Things
    The noise of 20,000+ Twitter Followers
    Reflections on my DC Trip
    Born Again American
    30,000 feet, 500 MPH Suburban Strip Mall
    Cellphones, toilets and the Inauguration
    The wall of pissing
    National Treasure/National Archives
    My trip to DC so far
    Everyone is insane
    Getting ready for DC
    The End of Days (of song): Microsoft Songsmith Example
    The Very Model of a Modern Major General
    Browser Bigotry
    The Death of your Soul: Microsoft Songsmith
    Creative Development or Developing Creatively?
    Race to Witch Mountain
    The Myth of Wikipedia (or the Wiki-1400)
    Online/Offline Sales -- is it really that bad?
    Is PayPal Tacky?
    Old School Web Design Still Works
    Domain Squatting
    Christmas Fire
    Green Chri$tma$
    QA 101
    Portland Snow
    Get some return on that web traffic
    I think they have a backup...
    I'd love to have that problem
    The [un]importance of statistics
    Don't be a tool of viral marketing
    CAT Scan!
    Follow up to the shoulder injury
    Emails, discussions, blogs, wiki and web content
    Ironic Injury
    On the Santa Monica Pier
    You Designed for Print First
    You let someone else register your domain name
    You figured .biz, .info, .us would work fine
    What's after the Integrated Circuit?
    Intelligent life is out there (but it's bugger all down here on earth)
    Subject Matter Experts Talking Other Subject Matter
    The Totalitarian Regime of Apple
    Oversimplifying how people work
    crowdSPRING
    Creative Services for the New World
    Reverse Anthropomorphism
    The End of Time
    Oil prices and birdsong
    Watching Starship Troopers AGAIN!
    Better Living Through Twitter
    Lessons Learned From Apple
    It's the Brand, Baby
    Business Architecture vs. Web Construction
    On Truth
    You can't build life
    Accidentally Drunk in Portland
    Al Gore the Winner
    Intelligent life is out there (but it’s bugger all down here on earth)
    Aussie Rules Football
    Trip to Nostalgia Land
    I am such an idiot
    Long day of travel
    Miami -- as far from Portland as you can go in the US
    Inverse Peter Principle
    COMPLETE GEEKOUT:MD5s as database keys
    Random Knowledge
    I'm fascinated with modern plumbing
    Leaving Seattle (or why you should keep your ticket close)
    On the Rails
    The Hive

© Michael Bissell. All rights reserved.