Skip to main content

Questions tagged [content-security-policy]

The tag has no usage guidance.

Filter by
Sorted by
Tagged with
14 votes
1 answer
51k views

Refused to frame '' because it violates the following Content Security Policy directive: "frame-src *"

I have found many solutions to various situations with "refused to xyz" due to Content-Security-Policy Settings. However I can't seem to find what might be wrong if '' gets refused. The literal ...
Worp's user avatar
  • 327
5 votes
0 answers
1k views

Client-side caching when using CSP with nonces in nginx - how do you use weak caching validators/etags?

I'm using nginx's expires directive; its etag directive as well as the Last-Modified header (if I understand correctly) are on by default. In order to allow specific inline JavaScripts when using ...
Christian's user avatar
  • 151
4 votes
1 answer
3k views

How to create a CSP nonce and yet continue website caching?

I am not getting any response to any way I try to phrase this question, so I keep trying. I feel I've got to be missing something, but I've searched and searched. Why isn't it obvious? Why is it so ...
jamminjames's user avatar
3 votes
1 answer
410 views

What is the solution to caching vs using a CSP nonce? I've been searching for a while, and haven't found it

I've never seen a good answer to this dilemma, and I've been searching high and low. It seems it is a choice between using a nonce and caching, you can't have both. Really bad choice! We're told '...
jamminjames's user avatar
3 votes
0 answers
9k views

How to configure Content-Security-Policy for Nginx and Drupal 8?

I have a Nginx server with Ubuntu 18.04 and a Drupal 8 site. I have read on several articles that should not use 'unsafe-eval', 'unsafe-inline' I added headers for security but the pages of the site ...
Mathieu's user avatar
  • 31
2 votes
3 answers
6k views

How to inject random CSP nonce in APACHE?

I want to add the following CSP directive in APACHE because I want it to be applied on every page. <IfModule mod_headers.c> <FilesMatch "\.(htm|html|php)$"> Content-Security-...
user3526609's user avatar
2 votes
2 answers
6k views

How to determine CSP for Wordpress

I'm trying to implement Content-Security-Policy headers for Wordpress but am having trouble identifying all the URL's it needs access to. Specifically, I have tried adding the header: Header always ...
srkiNZ84's user avatar
  • 581
2 votes
1 answer
2k views

Google Cloud Services Content Security Policy Issues

I have a static web site hosted in a bucket that I serve up via the Google Platform. This site has been running with no problems for about 6 months but over the last month I have had intermittent ...
evoelise's user avatar
2 votes
0 answers
3k views

Implementing Content-Security-Policy on Apache 2.2

On Apache 2.2 I'm about to set up Content-Security-Policy to allow browsers coming from one particular domain to load data into iframes from a certain virtual host. $ httpd -S VirtualHost ...
Rolf's user avatar
  • 21
2 votes
0 answers
323 views

Images on wordpress arent loading

I've recently installed a clean wordpress installation on my Ubuntu 18.04 LTS Server using nginx. Now i'm running into an error, when I've uploaded my images, I cant see them on the page. Thats what ...
Yeriwen's user avatar
  • 21
2 votes
1 answer
798 views

Can CSP reports be configured to exclude known blacklisted ressources?

When i use a Content-Security-Policy knowing that it will (and should) block some elements, is there a way to get reports for all violations except these? I get for example hits from a script that is ...
allo's user avatar
  • 1,733
1 vote
1 answer
3k views

How do allow fontawesome as a style-src in my Content-Security-Policy?

I'm trying to set my Content-Security-Policy header in .htaccess. I've already tried a variation of the answer to this post but it doesnt work. All my fontawesome icons are broken. Header always set ...
jarrodwhitley's user avatar
1 vote
0 answers
475 views

Editing Content Security Policy in IIS to allow a CDN script to be loaded

I am currently trying to load an external plugin into an application that is deployed on IIS. I am getting this error: Refused to load the script 'https://cdn.babylonjs.com/loaders/babylon....
Samir Kassem's user avatar
1 vote
0 answers
293 views

Nginx, webP, and a strict content security policy (SCP) on a LEMP Server

I am attempting to create a strong and secure content-security-policy in nginx, running a wordpress based LEMP Server. I believe I am using the ngx_pagespeed.so module, and have implemented FastCGI on ...
DanRan's user avatar
  • 93
1 vote
1 answer
249 views

Possible to create policy limiting firewall rules in GCP?

Does anyone know if it's possible to create an organizational policy that would prevent the use of having a source set to 'any' for specific ports on firewall rules in GCP? For example, I want to ...
user3723206's user avatar
1 vote
0 answers
3k views

Why doesn't nginx proxy_hide_headers directive work in this case?

I have an nginx server block like this, and I am trying to use the proxy_hide_header directive to hide the Content-Security-Policy response header from the proxied server because I am not running an ...
jonseymour's user avatar
0 votes
2 answers
9k views

How do I remove a HTTP header in Apache, if a certain IP access it?

How can I unset single/multiple HTTP headers when my website is accessed by a particular IP address? Because my CSP config blocks some local pages from loading properly. For example, if I have ...
user avatar
0 votes
3 answers
6k views

Content-Security-Policy for Exchange 2016

I would like to add Content-Security-Policy headers for Exchange 2016 for /owa and /ecp. Being well aware that a "too restrictive" Content-Security-Policy header can break both /owa and /ecp, is ...
shouldbeq931's user avatar
0 votes
0 answers
48 views

Seeking Guidance on Excluding Directory from General CSP

Good Day. I have been working on rebuilding a CSP for a client that has insisted on a particularly restrictive configuration. :data and unsafe-inline must be ruled out and my developer advises me that ...
Anne Tuff's user avatar
0 votes
0 answers
1k views

configuring content-security-policy for apache virtual hosts

I have Apache 2.4 with these sites configured in the httpd-vhosts.conf file: <VirtualHost *:80 *:8080 *:8084> DocumentRoot "c:\apache_php\sites\public" ServerName www.mydomain....
raphael75's user avatar
  • 135
0 votes
1 answer
316 views

Cloudflare + Apache + CSP Headers: Old CSP headers are returned

We are using apache2 on our server, which is behind cloudflare (free plan). I am currently implementing googles recaptcha, which requires me to make changes to our CSP headers. What I did: Change CSP ...
Felix Hagspiel's user avatar
0 votes
0 answers
479 views

Content-Security-Policy issues

I'm running NGINX as a reverse proxy and I4ve set the Content-Security-Policy header and I'm running into problems with some directives. I get the following errors in the console: Unrecognized Content-...
Sven Cazier's user avatar
0 votes
2 answers
262 views

Setting SElinux Labels for a magento site on Centos 7

I was hoping someone could kindly help myself. I have a Magento site running on a Centos 7.6 server. Now, the site is not correctly loading and looking in the messages.log I see numerous entries ...
Vaishal Patel's user avatar
0 votes
2 answers
2k views

Prevent Unjoined-to-domain computers from connecting to my network

How to prevent any computer that is not joined to the domain from requesting any service from my network? Considering that the computer is on another network.
Alaa AlHafez's user avatar
0 votes
1 answer
411 views

CSP response header causes firefox to abort loading of website

only in Firefox (recent and legacy) a website of mine is answered with a status code 200 but Firefox simply aborts without any error message. The server logs also show no issue. By going through the ...
mikeg's user avatar
  • 1