Overlapping elements in CSS

<html>
  <head>
    <style>
      .one { color: green }
      .two { color: orange }
    </style>
  </head>

  <body>

  <div class="one two">
    hello world
  </div>
</body>
</html>

 The class".one" is applied because it comes first in <style> tag.

CLAIMS VS ROLES

Roles-based authorization :

- Identify a user.
- Get user roles.
- Compare user roles to roles that are authorized to access a resource.

Claims-based authorization :

- Assign a claim to user.
- User present a claim for authorization rather than username and password.

A role is a specific kind of claims :

Based on my identity (username/password), i'm in this role, because i'm a member of this role, i have access to this resource.

Same-origin Policy (SOP)

I- Same-origin Policy (SOP) :

SOP is the default policy followed in all browsers which prevents data sharing between two different domains.

Only resources that have same origin (protocol(http, https...) + URL (or subdomain) +port) can reach one another resource's.

Why SOP ?

CSRF (Cross-Site Request Forgery) and XSS (Cross-Site Scripting) are Potential attack because of the ability of sites to make request to each other.

Solution ?

In order to support domain diversity and change we can use :


1- JSON Padding (JSONP) :

(CSRF vulnerabilities)

XmlHTTPRequest (using X-Requested-With HTTP header set to XmlHTTPRequest)
An XmlHTTPRequest call can be sent to a site in a different origin, but the reply cannot be read.

Under the principles of the Same-origin Policy, we know that scripts work in the context of the site on which the scripts were loaded. The only criteria to do this is that the file loaded should be a valid script file.

JSON, or Javascript Object Notation, is both a data type and an output considered as valid executable JavaScript code.

So, results can be bound with a callback function named by the caller.
http://mysite/list?callback=foobarbaz
and response should be : callback([{"att1": "val1", "att2": "val2"}]);


2- Cors (Cross Origin Resource Sharing) : 

(See XDomainRequest for IE8 and IE9 )

CORS provides relaxation to SOP which enables data sharing between two domains in a secure way
A wants to make a request to a site in origin B
A must declare its origin in the request by setting a custom HTTP header named Origin.
B then returns a response with an HTTP header : Access-Control-Allow-Origin: * (or domain)

2-1- Cors Simple Request vs Preflight Request

2-1-1- Simple Request : 

Method GET, POST, or HEAD, and the message type is set by the Content-Type HTTP header to either application/x-www-form-urlencoded, multipart/form-data, or text/plain.

Request :
GET / HTTP/1.1
Host: www.caller.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en,en-US;q=0.5
Origin: http://www.caller.com
Connection: keep-alive


2-1-2- Preflight Request :

 If not simple request,or if a custom HTTP header is added to the request,
the browser sends a pre-flight check request using the OPTIONS method.

Request :  asks the server if the HTTP headers sent are acceptable :
OPTIONS /resources/r/ HTTP/1.1
Origin: www.caller.com
Access-Control-Request-Method: POST
Access-Control-Request-Headers: X-TOKEN-ID

Response :
HTTP/1.1 200 OKDate: Mon, 01 Dec 2018 01:15:39 GMT
Server: Apache
Access-Control-Allow-Origin: http://www.caller.com
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Headers: X-TOKEN-ID
Access-Control-Allow-Credentials: true
Access-Control-Max-Age: 86400


II- Content Security Policy(CSP) :
CSP header defines the control of what content can run on its own domain.

Using the CSP directives, resources are loaded only from x domain and not from any other domains using Content-Security-Policy HTTP header.

CSP directives :script-src,style-src,img-src, frame-src, media-src, font-src, form-action, base-uri...
The standard specifies some special sources :none,self, *, https, uri or wildcards,

[directive] <source> <…source>; [directive] <source> <…source>; …

e.g : Content-Security-Policy: script-src 'self' https://somejs-cdn.com
Content-Security-Policy: default-src 'self' *.trusted.com



References :
https://www.netsparker.com/whitepaper-same-origin-policy/

TL;DR DevOps

DevOps = Develop + Deploy + Maintain

Develop => Languages (C#, Java, Js...),
Version Control & Collaboration (Tfs, Git ...),
Build & test automation (Tfs build, Maven, Selenium ...),
Continious integration & delivery (Tf rm, Jenkins ...)


Deploy => Container plateform (Docker ...),
Configuration management (Powershell, bash ...),
Microservice plateform (Kubernetes, openshift ...),
Provisioning (Ssh, Docker swarm, Power shell ...)

Maintain => Logging (Logstash/Elastic search, ...),
Monitoring & Alerting & Analytics (Kibana, Nagios, Zabbix ...)