remove old pages

content/docs/framework/drupal.md

@@ -1,7 +1,7 @@
 ---
 title: "Drupal"
-description: "Cheatsheet on Drupal library"
-lead: "Cheatsheet on Drupal library"
+description: "Cheatsheet on Drupal CMS"
+lead: "Cheatsheet on Drupal CMS"
 date: 2023-01-01T00:00:00+00:00
 lastmod: 2023-01-01T00:00:00+00:00
 draft: false

content/docs/framework/wordpress.md

@@ -0,0 +1,19 @@
+---
+title: "Wordpress"
+description: "Cheatsheet on Wordpress CMS"
+lead: "Cheatsheet on Drupal CMS"
+date: 2023-01-01T00:00:00+00:00
+lastmod: 2023-01-01T00:00:00+00:00
+draft: false
+images: []
+menu:
+  docs:
+    parent: "framework"
+weight: 620
+toc: true
+---
+
+## Wordpress
+
+### Discovery
+

content/docs/http/cross-origin-read-blocking.md

@@ -33,4 +33,45 @@ CORB works by examining the MIME type of cross-origin responses and blocking tho
 - **MIME Type Evaluation**: CORB checks the MIME type of a cross-origin response against a list of "protected" MIME types (such as HTML, XML (excluding SVG), and JSON). If the MIME type of the response is on this list, CORB may block the response from being consumed by the requesting site.
 - **Blocking Strategy**: If CORB decides to block a response, it does so by stripping the response body, effectively preventing the requesting JavaScript from reading the content. However, the request itself is not blocked, the server still receives the request and sends a response. The difference is that the JavaScript on the requesting site cannot access the response's body.
 - **Context of the Request**: CORB's decision to block a response also considers the context in which the request was made. For example, a script element trying to load JSON data might be blocked, as scripts are not supposed to load such data types directly.
-- **Interaction with Other Security Features**: Although CORB operates independently, its effectiveness is complemented by other security measures such as the `X-Content-Type-Options: nosniff` header, which prevents the browser from sniffing the MIME type of a response. This ensures that incorrectly labeled resources are not executed in an unintended context.
+- **Interaction with Other Security Features**: Although CORB operates independently, its effectiveness is complemented by other security measures such as the `X-Content-Type-Options: nosniff` header, which prevents the browser from sniffing the MIME type of a response. This ensures that incorrectly labeled resources are not executed in an unintended context.
+
+## Blocking
+
+The response will be stripped if:
+
+1. `X-Content-Type-Options` is set to `nosniff` and the `Content-Type` is either `HTML`, `XML` (except `image/svg+xml`), `JSON` or `text/plain`.
+2. Reponse status is `206` and the `Content-Type` is either `HTML`, `XML` (except `image/svg+xml`) or `JSON`.
+3. The sniffed the response body is either `HTML`, `XML` (except `image/svg+xml`) or `JSON`.
+
+## Examples
+
+For the following examples, the client-site code will stay the same:
+
+```html
+<script src="http://localhost:5555"></script>
+```
+
+### nosniff & text/plain
+
+In the following case, the response will be stripped by CORB because we will be in the first case as `X-Content-Type-Options` is set to `nosniff` and the `Content-Type` is set to `text/plain`.
+
+```python
+from flask import Flask
+
+app = Flask(__name__)
+
+@app.route('/')
+def home():
+    return "alert(1337);" 
+
+@app.after_request
+def add_response_headers(response):
+    response.headers['X-Content-Type-Options'] = 'nosniff'
+    response.headers['Content-Type'] = 'text/plain; charset=utf-8'
+    return response
+
+if __name__ == '__main__':
+    app.run(port=5555)
+```
+
+### 206 & application/json

content/docs/http/x-content-type-options.md

@@ -19,8 +19,6 @@ The [X-Content-Type-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/H
 
 ## Nosniff
 
-```
-X-Content-Type-Options: nosniff
-```
+`X-Content-Type-Options: nosniff` only apply request-blocking due to nosniff for request destinations of "script" and "style". However, it also enables Cross-Origin Read Blocking (CORB) protection for HTML, TXT, JSON and XML files (excluding SVG image/svg+xml).
 
-`X-Content-Type-Options` only apply request-blocking due to nosniff for request destinations of "script" and "style". However, it also enables Cross-Origin Read Blocking (CORB) protection for HTML, TXT, JSON and XML files (excluding SVG image/svg+xml).
+You can find more details on the [CORB](/docs/http/cross-origin-read-blocking-corb/) page.

layouts/index.html

@@ -24,7 +24,7 @@ <h1>{{ .Title }}</h1>
     <div class="container">
       <div class="row justify-content-center text-center">
         <div class="col-lg-5">
-          <h2 class="h4">Service Worker3</h2>
+          <h2 class="h4">Service Worker</h2>
           <p>A Service Worker runs in the background of a web application, it provides various features such as caching, push notifications, and offline functionality.</p>
         </div>
         <div class="col-lg-5">

todo.txt

@@ -5,4 +5,6 @@
 - Others - Open Redirect
     - Add a parameters wordlist
     - Browser BCheck rules
-- Framework - Spring Boot
+- Framework - Spring Boot
+
+- Fix images in other/debug