Questions tagged [content-security-policy]
The content-security-policy tag has no usage guidance.
25
questions
14
votes
1
answer
51k
views
Refused to frame '' because it violates the following Content Security Policy directive: "frame-src *"
I have found many solutions to various situations with "refused to xyz" due to Content-Security-Policy Settings.
However I can't seem to find what might be wrong if '' gets refused.
The literal ...
5
votes
0
answers
1k
views
Client-side caching when using CSP with nonces in nginx - how do you use weak caching validators/etags?
I'm using nginx's expires directive; its etag directive as well as the Last-Modified header (if I understand correctly) are on by default.
In order to allow specific inline JavaScripts when using ...
4
votes
1
answer
3k
views
How to create a CSP nonce and yet continue website caching?
I am not getting any response to any way I try to phrase this question, so I keep trying. I feel I've got to be missing something, but I've searched and searched. Why isn't it obvious? Why is it so ...
3
votes
1
answer
410
views
What is the solution to caching vs using a CSP nonce? I've been searching for a while, and haven't found it
I've never seen a good answer to this dilemma, and I've been searching high and low. It seems it is a choice between using a nonce and caching, you can't have both. Really bad choice!
We're told '...
3
votes
0
answers
9k
views
How to configure Content-Security-Policy for Nginx and Drupal 8?
I have a Nginx server with Ubuntu 18.04 and a Drupal 8 site.
I have read on several articles that should not use 'unsafe-eval', 'unsafe-inline'
I added headers for security but the pages of the site ...
2
votes
3
answers
6k
views
How to inject random CSP nonce in APACHE?
I want to add the following CSP directive in APACHE because I want it to be applied on every page.
<IfModule mod_headers.c>
<FilesMatch "\.(htm|html|php)$">
Content-Security-...
2
votes
2
answers
6k
views
How to determine CSP for Wordpress
I'm trying to implement Content-Security-Policy headers for Wordpress but am having trouble identifying all the URL's it needs access to. Specifically, I have tried adding the header:
Header always ...
2
votes
1
answer
2k
views
Google Cloud Services Content Security Policy Issues
I have a static web site hosted in a bucket that I serve up via the Google Platform.
This site has been running with no problems for about 6 months but over the last month I have had intermittent ...
2
votes
0
answers
3k
views
Implementing Content-Security-Policy on Apache 2.2
On Apache 2.2 I'm about to set up Content-Security-Policy to allow browsers coming from one particular domain to load data into iframes from a certain virtual host.
$ httpd -S
VirtualHost ...
2
votes
0
answers
323
views
Images on wordpress arent loading
I've recently installed a clean wordpress installation on my Ubuntu 18.04 LTS Server using nginx. Now i'm running into an error, when I've uploaded my images, I cant see them on the page.
Thats what ...
2
votes
1
answer
798
views
Can CSP reports be configured to exclude known blacklisted ressources?
When i use a Content-Security-Policy knowing that it will (and should) block some elements, is there a way to get reports for all violations except these?
I get for example hits from a script that is ...
1
vote
1
answer
3k
views
How do allow fontawesome as a style-src in my Content-Security-Policy?
I'm trying to set my Content-Security-Policy header in .htaccess.
I've already tried a variation of the answer to this post but it doesnt work. All my fontawesome icons are broken.
Header always set ...
1
vote
0
answers
475
views
Editing Content Security Policy in IIS to allow a CDN script to be loaded
I am currently trying to load an external plugin into an application that is deployed on IIS.
I am getting this error:
Refused to load the script 'https://cdn.babylonjs.com/loaders/babylon....
1
vote
0
answers
293
views
Nginx, webP, and a strict content security policy (SCP) on a LEMP Server
I am attempting to create a strong and secure content-security-policy in nginx, running a wordpress based LEMP Server. I believe I am using the ngx_pagespeed.so module, and have implemented FastCGI on ...
1
vote
1
answer
249
views
Possible to create policy limiting firewall rules in GCP?
Does anyone know if it's possible to create an organizational policy that would prevent the use of having a source set to 'any' for specific ports on firewall rules in GCP?
For example, I want to ...
1
vote
0
answers
3k
views
Why doesn't nginx proxy_hide_headers directive work in this case?
I have an nginx server block like this, and I am trying to use the proxy_hide_header directive to hide the Content-Security-Policy response header from the proxied server because I am not running an ...
0
votes
2
answers
9k
views
How do I remove a HTTP header in Apache, if a certain IP access it?
How can I unset single/multiple HTTP headers when my website is accessed by a particular IP address? Because my CSP config blocks some local pages from loading properly. For example, if I have ...
0
votes
3
answers
6k
views
Content-Security-Policy for Exchange 2016
I would like to add Content-Security-Policy headers for Exchange 2016 for /owa and /ecp.
Being well aware that a "too restrictive" Content-Security-Policy header can break both /owa and /ecp, is ...
0
votes
0
answers
48
views
Seeking Guidance on Excluding Directory from General CSP
Good Day. I have been working on rebuilding a CSP for a client that has insisted on a particularly restrictive configuration. :data and unsafe-inline must be ruled out and my developer advises me that ...
0
votes
0
answers
1k
views
configuring content-security-policy for apache virtual hosts
I have Apache 2.4 with these sites configured in the httpd-vhosts.conf file:
<VirtualHost *:80 *:8080 *:8084>
DocumentRoot "c:\apache_php\sites\public"
ServerName www.mydomain....
0
votes
1
answer
316
views
Cloudflare + Apache + CSP Headers: Old CSP headers are returned
We are using apache2 on our server, which is behind cloudflare (free plan).
I am currently implementing googles recaptcha, which requires me to make changes to our CSP headers.
What I did:
Change CSP ...
0
votes
0
answers
479
views
Content-Security-Policy issues
I'm running NGINX as a reverse proxy and I4ve set the Content-Security-Policy header and I'm running into problems with some directives.
I get the following errors in the console:
Unrecognized Content-...
0
votes
2
answers
262
views
Setting SElinux Labels for a magento site on Centos 7
I was hoping someone could kindly help myself. I have a Magento site running on a Centos 7.6 server.
Now, the site is not correctly loading and looking in the messages.log I see numerous entries ...
0
votes
2
answers
2k
views
Prevent Unjoined-to-domain computers from connecting to my network
How to prevent any computer that is not joined to the domain from requesting any service from my network? Considering that the computer is on another network.
0
votes
1
answer
411
views
CSP response header causes firefox to abort loading of website
only in Firefox (recent and legacy) a website of mine is answered with a status code 200 but Firefox simply aborts without any error message. The server logs also show no issue. By going through the ...