When scanning using OWASP ZAP, the report shows the following as medium risk:
Wildcard Directive
style-src unsafe-inline
script-src unsafe-inline
How can I fixed this issue on my server?
Have you looked at everything that ZAP is reporting? There should be a lot more information than this.
For the unsafe-inline findings you'll need to remove those elements from your CSP and move all of the inline styles and scripts into external files from the HTML. I'd focus on the inline scripts as they are more concerning.
For fixing Wildcard Directive issue in CSP header set all the headers required like this
add_header Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'; img-src 'self'; frame-src 'none'; frame-ancestors 'none'; media-src 'none'; object-src 'none'; manifest-src 'none'; worker-src 'none'; prefetch-src 'none'; form-action 'none' " always;
Related
I added CSP to my nuxt website. it worked until i added addMeta:true to the CSP object.
now I'm getting the error :
text error :
Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src 'sha256-pbUsaX0N1YAAThWC12JxlsJzrk+Kb8u0nzG7RegV+Tw='". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
I have checked the CSP using : https://csp-evaluator.withgoogle.com/
it has no issue.
The output :
default-src 'self' *.tawk.to MYHOST;
img-src https: *.google-analytics.com *.w3.org MYHOST data:;
worker-src 'self' blob: MYHOST *.tawk.to;
style-src 'self' 'unsafe-inline' MYHOST *.google-analytics.com *.googletagmanager.com *.tawk.to *.jsdelivr.net;
script-src-elem 'self' 'unsafe-inline' MYHOST *.google-analytics.com *.tawk.to *.googletagmanager.com;
font-src 'self' MYHOST *.google-analytics.com *.googletagmanager.com *.tawk.to data:;
connect-src https: wss: MYHOST *.google-analytics.com *.googletagmanager.com *.tawk.to;
form-action 'self';
frame-ancestors 'none';
object-src 'none';
base-uri MYHOST;
script-src 'sha256-QmdMW6/6GRLx7y5TPpTuUM6roj/PoGrZMBytBPICuLo=' 'self'
any idea what causes this error? and do I need the meta tag or its not necessary?
It seems like you might have deployed multiple CSPs, one as a meta tag, possibly another as a response header. Adding another CSP can only make it stricter. You should check if there is a CSP in a response header and how it is configured.
If you proceed with your policy in meta, you should expand the error message to see the URLs in question. Some are likely the same domain, for which you should add 'self' to script-src.
Based on the current information, there is not much more advice that can be given.
Issue is related to NWebSec content security headers -
If I use more wildcard tags in my NWebSec CSP code then it's working but If I use exact URLs which I needed in my application then is giving an issue in my sign-in page "Post/ applicationurls.com/sigin-oidc" 502 Bad Gateway.
I think this issue is related to response header size in the asp.net core. I've tried a few codes to increase response header size in .net core but nothing helps.
Below is my working code with more wildcard tags - but I need to use some of the URLs exactly and need to add a few more.
internal static class NWebSecExtensions
{
internal static void AddNWebSecSecurity(this IApplicationBuilder app, IConfiguration config)
{
app.UseXXssProtection(options => options.EnabledWithBlockMode());
app.UseXfo(xfo => xfo.SameOrigin());
app.UseRedirectValidation(options =>
{
options.AllowSameHostRedirectsToHttps()
.AllowedDestinations("https://www.google.com/accounts/", config["NWebSec:TestCheckInstanceDomain"]);
}); //Register this earlier if there's middleware that might redirect.
app.UseCsp(options => options
.DefaultSources(s => s.Self())
.ScriptSources(s =>
{
s.Self().UnsafeEval().UnsafeInline()
.CustomSources("https://www.google-analytics.com", "https://www.googletagmanager.com",
"https://xyz.test.net", "https://*.testnetwork.net", "https://xyz.cdntestwork.net");
})
.StyleSources(s =>
{
s.Self().UnsafeInline()
.CustomSources("https://xyz.test.net", "https://*.testnetwork.net");
})
.ImageSources(s =>
{
s.Self().CustomSources("data:", "https:");
})
.ObjectSources(s => s.Self())
.ConnectSources(s =>
{
s.Self()
.CustomSources($"wss://{config["NWebSec:MyTestCAppServiceDomain"]}",
$"https://{config["NWebSec:TestWebStrMediaDomain"]}",
$"https://{config["NWebSec:TestStorageAccountDomain"]}",
"https://www.google-analytics.com", "https://web.mynetwork.com/",
"https://*.testnetwork.com", "https://*.dnstestcrt.net",
"https://*.testnetwork.net", "https://*.oceantest.net");
})
.MediaSources(s =>
{
s.Self()
.CustomSources(
$"https://{config["NWebSec:TestWebStrMediaDomain"]}",
"blob:", "https://*.testnetworkcdn.com", "https://*.dnstestcrt.net",
"https://*.testnetwork.com",
"https://*.elenewtd.net", "https://*.elenewtd.net", "https://*.oceanfms.net",
"https://*.oceantest.net");
})
.FrameSources(s => { s.Self().CustomSources("https://*.testnetwork.net/"); })
.ChildSources(s => { s.Self().CustomSources("blob:"); })
.FontSources(s => { s.Self().CustomSources("https://xyz.test.net", "data:"); }));
}
}
If I add below actually needed tags then it starts giving me 502 Bad Gateways Issue.
Content-security-policy:
default-src https://*.testsrcwo.net 'self';
script-src https://*.testsrcwo.net 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com https://www.googletagmanager.com
https://xyz.test.net https://swebce.zoom.us https://runers.testnetwork.net https://opr.krcdnt.net;
object-src https://*.testsrcwo.net 'self';
style-src https://*.testsrcwo.net 'self' 'unsafe-inline' https://xyz.test.net https://troep.trotr.us https://runers.testnetwork.net;
img-src https://*.testsrcwo.net 'self' data: https://dashboard.mynetwork.org https://www.google-analytics.com https://xyz.test.net
https://web.mynetwork.com https://starttrik.testnetwork.com https://cf-images.tre-tei-1.lean.dnsjunto.net https://runers.testnetwork.net https://*.dnsjunto.net https://plunt.ghandukans.com;
run-src https://*.testsrcwo.net 'self' https://lean-ghan-dukans-treehills-shabs-ams-proxy-func.testwebsites.net https://leantreehillsshabsrun-euno.jumkoo.run.test.net https://shada-leantreehillsshabsrun-euno.jumkoo.run.test.net blob: https://*.testnetworkcdn.com https://*.dnsjunto.net https://*.run.testnetwork.com https://*.elewend.net https://*.elewend.net https://*.treetop.net https://*.oceapto.net https://leantreehillsshabsrun.keydelivery.neartoyou.run.test.net;
frame-src https://*.testsrcwo.net 'self' https://runers.testnetwork.net;
font-src https://*.testsrcwo.net 'self' https://xyz.test.net data:;
connect-src https://*.testsrcwo.net 'self' wss://lean-ghan-dukans-testplt-vart-kaptry.testwebsites.net https://leantreehillsshabsrun.keydelivery.neartoyou.run.test.net https://leantreehillsshabsrun-euno.jumkoo.run.test.net https://leanghandukanstreehillseve.blob.roit.windows.net https://shada-leantreehillsshabsrun-euno.jumkoo.run.test.net https://www.google-analytics.com https://web.mynetwork.com https://edge.api.testnetwork.com https://manifest.lean.dnsjunto.net https://runers.testnetwork.net https://bcbolt446c5271-a.oceapto.net https://lean-ghan-dukans-treehills-shabs-tro-proxy-func.testmywebsites.net;
child-src https://*.testsrcwo.net 'self' blob:; report-uri /WebRreirutie.axd?cspReport=true;
Please find my startup class, program file, and web-config
Startup.cs
ConfigureService Method code -
Configure Method code -
Program.cs
WebConfig
I'm using google drive to upload my images. So my images' url in my website like that;
<img src="https://drive.google.com/uc?export=view&id=1SJcEZndPKl7DxU1K8Iit" />
In my local it's working well but in my vps not working. I'm getting this error;
Refused to load the image 'https://drive.google.com/uc?export=view&id=1SJcEZndPKl7DxU1K8Iit' because it violates the following Content Security Policy directive: "img-src 'self' data:".
I research it and try this code in dist/index.html
<meta http-equiv="Content-Security-Policy" content="default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';">
But still I'm getting same error event when I write that to head, I'm starting to get new error;
Refused to load the font 'data:application/x-font-woff2;charset=utf-8;base64,d09GMgABAAAAAAz0AAsAAAAAGOAAAAymAAEAAAAAA...' because it violates the following Content Security Policy directive: "default-src * 'unsafe-inline' 'unsafe-eval'". Note that 'font-src' was not explicitly set, so 'default-src' is used as a fallback. Note that '*' matches only URLs with network schemes ('http', 'https', 'ws', 'wss'), or URLs whose scheme matches `self`'s scheme. The scheme 'data:' must be added explicitly.
I try this in my backend;
app.use(function (req, res, next) {
res.setHeader(
'Content-Security-Policy-Report-Only', "default-src 'self'; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self'; frame-src 'self'"
);
next();
});
But still not working. What sould I do?
Edit:
I do that;
<meta http-equiv="Content-Security-Policy" content="default-src *;img-src * 'self' data: https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' *; style-src 'self' 'unsafe-inline' *; font-src 'self' data:">
And my second error (Refused to load the font) solved bu still I'm getting same and main error.
Currently, I have set the following CSP header in the HTML file of my webpage -
default-src 'none'; script-src 'strict-dynamic' 'nonce-RANDOM' 'unsafe-eval' 'unsafe-inline' ; object-src 'none'; style-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com; img-src * data:; media-src 'self' https://maps.gstatic.com https://maps.googleapis.com https://maps.google.com https://*.s3.amazonaws.com data:; form-action *; frame-src 'self' https://feed.mikle.com; font-src 'self' https://fonts.gstatic.com data:; base-uri 'self'; connect-src *
There is a feature on our webpage that requires users to upload an XML file and another feature that requires JSON or a CSV file to work.
Is there a way to not restrict these files from being uploaded when the CSP is set? If so, how?
The issue was caused and fixed as follows -
The button that takes XML file as input in the HTML form has an inline event handler, which the CSP Policy was blocking, thereby blocking the upload. I moved this inline event handler to an external function and called the function. This fixed the issue and CSP is no longer blocking the function.
When i try authenticate, the redirect URL for it has a response 400:
api.twitter.com/oauth2/token?oauth_token=xxxxxxxxxxxxxxxxxxxxxx:1
GET
https://api.twitter.com/oauth2/token?oauth_token=xxxxxxxxxxxxxxxxxxxxxx
400 () /oauth2/token?oauth_token=xxxxxxxxxxxxxxxxxxxxxx:1 Refused
to apply inline style because it violates the following Content
Security Policy directive: "style-src https://abs.twimg.com
https://abs-0.twimg.com". Either the 'unsafe-inline' keyword, a hash
('sha256-4Su6mBWzEIFnH4pAGMOuaeBrstwJN4Z3pq/s1Kn4/KQ='), or a nonce
('nonce-...') is required to enable inline execution.
In my page "connect twitter" has a meta CSP:
<meta http-equiv="Content-Security-Policy" content="default-src *;
style-src 'self' http://* https://* 'unsafe-inline'; script-src 'self'
http://* 'unsafe-inline' 'unsafe-eval'; img-src * data:" />
Whats going wrong?
That's complaining about Twitter's CSP directive and not your own.
You can see their directive here, and it contains the following:
style-src https://abs.twimg.com https://abs-0.twimg.com
Which directly matches the error message.
Why Twitter are apparently blocking their own api call I don't know.
Btw on a separate note I think your syntax is wrong as don't think https://* is allowed, and it should be:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' http: https: 'unsafe-inline'; script-src 'self' http: 'unsafe-inline' 'unsafe-eval'; img-src * data:" />