I have set my CSP in meta tag as follows:
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' cdn.jsdelivr.net unpkg.com accounts.google.com code.jquery.com 'sha256-lJMW30jo60M6VSFHAaxO+izJVqSNTP0VHJM8ChvH0mQ=';" />
But the browser give different CSP as reference of error:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src *". Either the 'unsafe-inline' keyword, a hash ('sha256-lJMW30jo60M6VSFHAaxO+izJVqSNTP0VHJM8ChvH0mQ='), or a nonce ('nonce-...') is required to enable inline execution."
Why that can be happened? Clearly i dont put the CSP as script-src *
Related
I followed up on a different SO answer and updated my meta tag like so:
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *; img-src 'self' data: content:; default-src 'self' 'unsafe-inline'; https://*.googleapis/*/ https://*.fontawesome.com/*/ script-src 'self' 'unsafe-eval'; object-src 'self';">
My aim was to get FontAwesome to pass a CySec findings. However, the fix broke more than it fixed:
Ignoring duplicate Content-Security-Policy directive 'default-src'.
folio.dubaiairports.ae/:9 Ignoring duplicate Content-Security-Policy directive 'default-src'.
Unrecognized Content-Security-Policy directive '<URL>'.
mySite.myCompany.co/:9 Unrecognized Content-Security-Policy directive 'https://*.googleapis/*/'.
chext_driver.js:65 Unrecognized Content-Security-Policy directive 'https://*.googleapis/*/'.
mySite.myCompany.co/:1 Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Roboto:400,500' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.
blazor.server.js:1 [2021-01-26T09:27:01.087Z] Information: Normalizing '_blazor' to 'https://mySite.myCompany.co/_blazor'.
mySite.myCompany.co/:1 Refused to load the script 'https://kit.fontawesome.com/4f9675fbb7.js' because it violates the following Content Security Policy directive: "default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'default-src' is used as a fallback.
mySite.myCompany.co/:1 Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Roboto:400,500' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.
Any helpful pointers will be greatly appreciated
Your CSP has errors:
a double default-src directives, the second one will be ignored.
in the part 'unsafe-inline'; https://*.googleapis/*/ https://*.fontawesome.com/*/ the directive name is missed, therefore browser counts a https://*.googleapis/*/ and https://*.fontawesome.com/*/ host-sources as directive's names'. The ; is a separator for directives, therefore after 'unsafe-inline'; a directive name should follow.
https://*.googleapis/*/ and https://*.fontawesome.com/*/ have invalid syntax because * is not allowed in the path-part or to cover top level domain zone, pls see how to correctly specify host-source.
I an not sure about gap: and content: scheme-sources, they not used in ordinary CSP, but they may be applicable in CSP for browser extensions.
I am trying to load a base64 string into an img src, on my local environment this is working but on the live environment I get this error: click for error:
I also tried putting this in my html header:
<meta http-equiv="Content-Security-Policy" content="default-src *; img-src * 'self' data: https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' *; style-src 'self' 'unsafe-inline' *">
I am really stuck on this issue because I cannot deploy to the live environment because of this.. help is much appreciated.
According to the error message you are missing "data:" for default-src in your initial CSP (remove the quotes). If you define img-src then "data:" should be added to it.
If you don't remove the header when adding the meta tag your all your content must pass both CSPs.
Struggling with understanding CSP, getting
Refused to apply inline style because it violates the following Content Security Policy directive: "script-src 'self' https://example;"
Example, my domain is https://example.com, in my policy, I have script-src 'self' https://example; yet inline scripts from https://example/static/js/19.b56ecbe.chunk.js is getting blocked.
I would have thought that 'self' would allow the script to run, what am I getting wrong here?
#sideshowbarker already explained why you cannot do that but there's a little variant you can use if you want to allow "inline scripts" on your pages.
Just include nonce in all your script tags as well as in the CSP header itself.
Look here for more details: https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/
On configuring the content-security-policy of a site, I'm setting the font source in combination with styles like this
style-src 'self' 'unsafe-inline' fonts.googleapis.com;
font-src 'self' fonts.gstatic.com;
This works in Firefox for all cases. However, Chromium complains when google maps tries to fetch the roboto font:
Refused to load the font '<URL>' because it violates the following Content Security Policy directive: "font-src 'self' fonts.googleapis.com".
Refused to load the font 'https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmSU5fCRc4EsA.woff2' because it violates the following Content Security Policy directive: "font-src 'self' fonts.googleapis.com".
I've tried adding 'unsafe-inline' and data: as scheme source, but none seem to do the trick. I'm confused about why Chromium reports font "<URL>", it doesn't seem to be an accepted scheme source and I don't get why it's been blocked
I'm creating a Content Security Policy on RedHat 6 Apache 2.2 for some html files with JavaScript links to Google. I have added the following code the virtualhost of the site in httpd.conf file.
Header always set Content-Security-Policy-Report-Only: "default-src 'self' https:; script-src 'self' https: https://www.google-analytics.com https://ajax.googleapis.com; style-src inline: 'self' https: 'sha256-j0bVhc2Wj58RJgvcJPevapx5zlVLw6ns6eYzK/hcA04=' https://www.google-analytics.com https://ajax.googleapis.com; font-src 'self'; img-src 'self' https: data: https://www.google-analytics.com; form-action 'self'; frame-ancestors 'none'; connect-src 'self' https: https://www.google-analytics.com; child-src 'self'"
Cannot get the policy to work unless I use 'unsafe-inline' which I would prefer not to. Latest Chrome browser in developer mode says to add SHA256 hash which I did (see below). Even though I added the recommended SHA256 hash Chrome still asks me to add it????
Am I not handling SHA256 hash correctly? Any help will be appreciated.
From Chrome developers console.
Refused to apply inline style because it violates the following
Content Security Policy directive: "style-src inline: 'self' https:
'sha256-j0bVhc2Wj58RJgvcJPevapx5zlVLw6ns6eYzK/hcA04='
https://www.google-analytics.com https://ajax.googleapis.com". Either
the 'unsafe-inline' keyword, a hash
('sha256-j0bVhc2Wj58RJgvcJPevapx5zlVLw6ns6eYzK/hcA04='), or a nonce
('nonce-...') is required to enable inline execution.
EDIT: This is discussed in this bug:
https://bugs.chromium.org/p/chromium/issues/detail?id=546106
Not totally following what the bug says but it seems the spec only allows sha256 hashes for script and style tags and not for inline scripts and styles. It appears you are going to have to add a 'unsafe-hashed-attributes' attribute to your policy to make it work.
However not totally clear if that is just to fix the script part or also styles, nor if it has been released. It definitely won't have made it to iOS devices that also use WebKit so, for now, I would just allow unsafe-inline for styles.
ORIGINAL ANSWER (before above answer was added but leaving to avoid confusion as comments added below).
I see a few problem:
The error mention the Content Security Policy but your example config is the Report Only header. I've seen issues when using both Content-Security-Policy and Content-Security-Policy-Report-Only. They should be independent but are not. Might be worth trying without one to see if that's the problem.
Your style source includes inline: which is not valid syntax AFAIK
You include the general https: directive and then also specific https sites (https://www.google-analytics.com https://ajax.googleapis.com)