Currently, I have set the following CSP header in the HTML file of my webpage -
default-src 'none'; script-src 'strict-dynamic' 'nonce-RANDOM' 'unsafe-eval' 'unsafe-inline' ; object-src 'none'; style-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com; img-src * data:; media-src 'self' https://maps.gstatic.com https://maps.googleapis.com https://maps.google.com https://*.s3.amazonaws.com data:; form-action *; frame-src 'self' https://feed.mikle.com; font-src 'self' https://fonts.gstatic.com data:; base-uri 'self'; connect-src *
There is a feature on our webpage that requires users to upload an XML file and another feature that requires JSON or a CSV file to work.
Is there a way to not restrict these files from being uploaded when the CSP is set? If so, how?
The issue was caused and fixed as follows -
The button that takes XML file as input in the HTML form has an inline event handler, which the CSP Policy was blocking, thereby blocking the upload. I moved this inline event handler to an external function and called the function. This fixed the issue and CSP is no longer blocking the function.
Related
I added CSP to my nuxt website. it worked until i added addMeta:true to the CSP object.
now I'm getting the error :
text error :
Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src 'sha256-pbUsaX0N1YAAThWC12JxlsJzrk+Kb8u0nzG7RegV+Tw='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
I have checked the CSP using : https://csp-evaluator.withgoogle.com/
it has no issue.
The output :
default-src 'self' *.tawk.to MYHOST;
img-src https: *.google-analytics.com *.w3.org MYHOST data:;
worker-src 'self' blob: MYHOST *.tawk.to;
style-src 'self' 'unsafe-inline' MYHOST *.google-analytics.com *.googletagmanager.com *.tawk.to *.jsdelivr.net;
script-src-elem 'self' 'unsafe-inline' MYHOST *.google-analytics.com *.tawk.to *.googletagmanager.com;
font-src 'self' MYHOST *.google-analytics.com *.googletagmanager.com *.tawk.to data:;
connect-src https: wss: MYHOST *.google-analytics.com *.googletagmanager.com *.tawk.to;
form-action 'self';
frame-ancestors 'none';
object-src 'none';
base-uri MYHOST;
script-src 'sha256-QmdMW6/6GRLx7y5TPpTuUM6roj/PoGrZMBytBPICuLo=' 'self'
any idea what causes this error? and do I need the meta tag or its not necessary?
It seems like you might have deployed multiple CSPs, one as a meta tag, possibly another as a response header. Adding another CSP can only make it stricter. You should check if there is a CSP in a response header and how it is configured.
If you proceed with your policy in meta, you should expand the error message to see the URLs in question. Some are likely the same domain, for which you should add 'self' to script-src.
Based on the current information, there is not much more advice that can be given.
I'm using google drive to upload my images. So my images' url in my website like that;
<img src="https://drive.google.com/uc?export=view&id=1SJcEZndPKl7DxU1K8Iit" />
In my local it's working well but in my vps not working. I'm getting this error;
Refused to load the image 'https://drive.google.com/uc?export=view&id=1SJcEZndPKl7DxU1K8Iit' because it violates the following Content Security Policy directive: "img-src 'self' data:".
I research it and try this code in dist/index.html
<meta http-equiv="Content-Security-Policy" content="default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';">
But still I'm getting same error event when I write that to head, I'm starting to get new error;
Refused to load the font 'data:application/x-font-woff2;charset=utf-8;base64,d09GMgABAAAAAAz0AAsAAAAAGOAAAAymAAEAAAAAA...' because it violates the following Content Security Policy directive: "default-src * 'unsafe-inline' 'unsafe-eval'". Note that 'font-src' was not explicitly set, so 'default-src' is used as a fallback. Note that '*' matches only URLs with network schemes ('http', 'https', 'ws', 'wss'), or URLs whose scheme matches `self`'s scheme. The scheme 'data:' must be added explicitly.
I try this in my backend;
app.use(function (req, res, next) {
res.setHeader(
'Content-Security-Policy-Report-Only', "default-src 'self'; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self'; frame-src 'self'"
);
next();
});
But still not working. What sould I do?
Edit:
I do that;
<meta http-equiv="Content-Security-Policy" content="default-src *;img-src * 'self' data: https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' *; style-src 'self' 'unsafe-inline' *; font-src 'self' data:">
And my second error (Refused to load the font) solved bu still I'm getting same and main error.
In one of my projects the csp is defined as
var csp = "default-src 'self'; object-src 'none'; frame-ancestors 'none'; sandbox allow-forms allow-same-origin allow-scripts; base-uri 'self';";
if (!context.HttpContext.Response.Headers.ContainsKey("Content-Security-Policy"))
{
context.HttpContext.Response.Headers.Add("Content-Security-Policy", csp);
}
The issue is that my internal JS is not working. I have included knockout JS and I get an error there.
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-SyLtUpmx0OjAxbTKXy2jd0BL8QnTwNgkVdWgf9/eQio='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Uncaught EvalError: Unable to parse bindings.
Bindings value: if: sessionType() === ''
Message: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self'".
Getting this error in this line
<script type="text/javascript">
var returnUrl = '#Model.ReturnUrl';
$(function () {
$(":input").inputmask();
});
</script>
The <script type="text/javascript">...</script> is an inline script therefore you have got error:
Refused to execute inline script because it violates the following
Content Security Policy directive: "default-src 'self'". Either the
'unsafe-inline' keyword, a hash
('sha256-SyLtUpmx0OjAxbTKXy2jd0BL8QnTwNgkVdWgf9/eQio='), or a nonce
('nonce-...') is required to enable inline execution
You have 3 opts to allow inline script:
to add 'insafe-inline' token into default-src directive (it's severely reduces CSP protection)
to add 'sha256-SyLtUpmx0OjAxbTKXy2jd0BL8QnTwNgkVdWgf9/eQio=' token into default-src directive (although it better to add script-src 'self' 'sha256-SyLtUpmx0OjAxbTKXy2jd0BL8QnTwNgkVdWgf9/eQio='). Negative moment: you have to regenerate a 'hash-value' when you change the script's content.
to add 'nonce-value' into default-src or script-src. Nonce values should be generated fresh on each page loads, therefore it's better to use NWebsec Tag Helpers
The error:
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self'".
means you have use eval(), new Function() or setTimeout()/setInterval() function calls.
In case of eval()/new Function() you have no choice other than add 'unsafe-eval' token into default-src (or script-src if you add it).
In case of setTimeout()/setInterval() - these counted as unsafe eval expressions only if get a function as string parameter. You can use anonymous (or named) function to avoid 'unsafe-eval' usage.
When scanning using OWASP ZAP, the report shows the following as medium risk:
Wildcard Directive
style-src unsafe-inline
script-src unsafe-inline
How can I fixed this issue on my server?
Have you looked at everything that ZAP is reporting? There should be a lot more information than this.
For the unsafe-inline findings you'll need to remove those elements from your CSP and move all of the inline styles and scripts into external files from the HTML. I'd focus on the inline scripts as they are more concerning.
For fixing Wildcard Directive issue in CSP header set all the headers required like this
add_header Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'; img-src 'self'; frame-src 'none'; frame-ancestors 'none'; media-src 'none'; object-src 'none'; manifest-src 'none'; worker-src 'none'; prefetch-src 'none'; form-action 'none' " always;
When i try authenticate, the redirect URL for it has a response 400:
api.twitter.com/oauth2/token?oauth_token=xxxxxxxxxxxxxxxxxxxxxx:1
GET
https://api.twitter.com/oauth2/token?oauth_token=xxxxxxxxxxxxxxxxxxxxxx
400 () /oauth2/token?oauth_token=xxxxxxxxxxxxxxxxxxxxxx:1 Refused
to apply inline style because it violates the following Content
Security Policy directive: "style-src https://abs.twimg.com
https://abs-0.twimg.com". Either the 'unsafe-inline' keyword, a hash
('sha256-4Su6mBWzEIFnH4pAGMOuaeBrstwJN4Z3pq/s1Kn4/KQ='), or a nonce
('nonce-...') is required to enable inline execution.
In my page "connect twitter" has a meta CSP:
<meta http-equiv="Content-Security-Policy" content="default-src *;
style-src 'self' http://* https://* 'unsafe-inline'; script-src 'self'
http://* 'unsafe-inline' 'unsafe-eval'; img-src * data:" />
Whats going wrong?
That's complaining about Twitter's CSP directive and not your own.
You can see their directive here, and it contains the following:
style-src https://abs.twimg.com https://abs-0.twimg.com
Which directly matches the error message.
Why Twitter are apparently blocking their own api call I don't know.
Btw on a separate note I think your syntax is wrong as don't think https://* is allowed, and it should be:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' http: https: 'unsafe-inline'; script-src 'self' http: 'unsafe-inline' 'unsafe-eval'; img-src * data:" />