I just upgraded to Safari 11. I've been debugging my WebApp by opening the html file directly with Safari. After the upgrade it gets "SecurityError (DOM Exception 18) The operation is insecure when the app accesses localStorage.
Here's my security policy tag;
<meta http-equiv="Content-Security-Policy"
content="default-src 'self' file:// *;
style-src * 'self' 'unsafe-inline' 'unsafe-eval';
script-src * 'self' 'unsafe-inline' 'unsafe-eval';"
>
This worked fine on previous versions of Safari and on Chrome, FIreFox etc.
Any thoughts?
I found the answer! Set "Disable local file restrictions" in the Develop menu.
Related
I have a wordpress website that runs on a LAMP system.
I tried to improve security (I'm far from being an expert!) and added a CSP header.
Header set Content-Security-Policy "default-src 'self'; font-src 'self' data: https://fonts.gstatic.com; frame-src https://www.google.com https://www.youtube.com; img-src 'self' https://secure.gravatar.com; script-src 'self' 'unsafe-inline' ; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; object-src 'none'"
What I don't understand: If I remove the unsafe-inline from the script-src my calendar widget does not load anymore on a windows browser (tested both firefox and chrome). But it works on a Linux browser (Firefox).
Is this a bug in apache2, in the windows browsers or in the calender wp plugin?
I'm confused. :-)
It doesn't look like an Apache bug, it just sends the CSP as a string without even understanding what's in it.
Of course you can use some User Agent conditions in the httpd.conf like:
SetEnvIfNoCase User-Agent "Linux x86_64" noCSP=1
and to publish CSP relying on noCSP flag to exclude CSP header for some kinds od user agents.
But you can easily clarify that and ensure you have the same CSP header for the Windows/Linux browsers.
I think a WP calendar plugin uses some inline scripts which are blocked in absence of 'unsafe-inline'. You can check accourding CSP errors in the browser console of windows browser.
Maybe you disabled CSP in your Linux Firefox browser (about:config page -> security.csp.enable -> false) or have some extensions which disable CSP.
So the different Windows/Linux behaviour comes from the Laboratory plugin that was running in my Linux Firefox.
I have to check with the plugin author why unsafe-inline is required.
I've tried searching the web, but had no luck. I've been using Chrome/Edge to work on my website and today I tried to open it in Firefox (93.0) and I noticed that none of my icons are loading. This error message appears in console:
Content Security Policy: The page’s settings blocked the loading of a
resource at http://localhost/icons.svg (“default-src”).
This seems to indicate that the default-src was used as a fallback. I'm running an Apache server with this CSP:
Header set Content-Security-Policy "default-src 'none'; img-src 'self'; object-src 'none'; script-src 'self'; style-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; connect-src 'self'"
The icon sprite is used like this:
<svg class="icon"><use href="icons.svg#settings"></use></svg>
This is only an issue in Firefox since Edge, Chrome and iOS Safari all work fine. Is there any way for me to fix this?
This is an old Firefox browser bug - img-src directive does not cover sources in the <use xlink:href=> tag.
Firefox uses default-src to control <use xlink:href=> tag, therefore to fix issue make default-src 'self' instead of default-src 'none'.
I have a web application that provides links to display PDFs.
The Content-Security-Policy is set in the apache configuration (httpd.conf)
My problem is now that in MS Edge (chromium based) is not opening/displaying the PDFs.
In Firefox on clicking the Link the new Tab is opened and the PDF gets loaded and displayed.
In MS Edge on clicking the Link the new Tab is opened but it is displaying an error:
example.domain.org is blocked
Requests to the server have been blocked by an extension.
Try disabling your extensions.
ERR_BLOCKED_BY_CLIENT
There is no extension installed, it is the same for incognito mode.
After testing the Content-Security-Policy it seems that the chromium based browsers do handle the CSP "sandbox" very different to FireFox. Without the "sandbox" policy it is working like in firefox.
Header set Content-Security-Policy "base-uri 'self' example.domain.org.com; default-src 'self' example.domain.org.com; form-action 'self' example.domain.org.com; frame-src http://example.domain.org.com; font-src 'self' https://fonts.googleapis.com/ https://fonts.gstatic.com/ https://fonts.googleapis.com/css data:; img-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; sandbox allow-forms allow-scripts allow-same-origin allow-popups;"
Is there a way to add the basic CSP sandbox (with specifiers like allow-forms allow-scripts allow-same-origin allow-popups) but still allow opening PDFs within the chromium based browsers?
Or to remove the CSP sandbox only for PDFs trough some config in httpd.conf?
I am trying to load a base64 string into an img src, on my local environment this is working but on the live environment I get this error: click for error:
I also tried putting this in my html header:
<meta http-equiv="Content-Security-Policy" content="default-src *; img-src * 'self' data: https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' *; style-src 'self' 'unsafe-inline' *">
I am really stuck on this issue because I cannot deploy to the live environment because of this.. help is much appreciated.
According to the error message you are missing "data:" for default-src in your initial CSP (remove the quotes). If you define img-src then "data:" should be added to it.
If you don't remove the header when adding the meta tag your all your content must pass both CSPs.
Using Safari 11.0 I am receiving an error trying to load a CSS resource on a website I maintain. The page loads fine in Chrome and Firefox, and used to load fine in Safari, so I'm not sure how to resolve it. I'm guessing I need to modify the Content-Security-Policy header.
The specific error from the Safari console is Refused to load https://****.com/css/styles.css because it does not appear in the style-src directive of the Content Security Policy. As a result of this, the styles.css file isn't loading and the website is rendered incorrectly.
The security headers for the website (set via caddy) are:
Content-Security-Policy default-src 'self' https:; script-src 'self'; style-src 'self'; object-src 'none'
Content-Type text/html; charset=utf-8
Referrer-Policy strict-origin
Server Caddy
Strict-Transport-Security max-age=31536000; includeSubDomains; preload
Change the style-src part of the Content-Security-Policy header value so that it’s instead style-src 'self' https://****.com. That is, replace the ****.com in https://****.com with whatever the actual hostname is.