0

only in Firefox (recent and legacy) a website of mine is answered with a status code 200 but Firefox simply aborts without any error message. The server logs also show no issue. By going through the settings I pinned it down to the CSP header.

Does someone see what I am missing?

add_header Content-Security-Policy "default-src 'self';
        script-src 'self' data: 'unsafe-inline' 'unsafe-eval' *.$server_name *.google-analytics.com *.googletagmanager.com *.google.com *.googleapis.com *.videopress.com;
        style-src 'self' 'unsafe-inline' *.$server_name *.googleapis.com *.google.com *.bootstrapcdn.com *.jquery.com;
        img-src 'self' data: *.$server_name *.google.com *.google-analytics.com *.gstatic.com *.googleapis.com *.initiative-s.de *.gravatar.com *.w.org *.creativecommons.org  *.jquery.com;
        font-src 'self' data: *.$server_name *.gstatic.com *.bootstrapcdn.com;
        connect-src 'self' *.$server_name *.googletagmanager.com;
        media-src 'self' *.$server_name *.w.org *.videopress.com;
        object-src 'none';
        child-src 'self' *.googletagmanager.com maps.google.com pastebin.com *.videopress.com;
        form-action 'self';
        upgrade-insecure-requests;
        reflected-xss block;
        referrer no-referrer";

By the way … if you wonder what *.$server_name is for. It's the nginx variable which allows me to whitelist all sub-domains.

Thanks a lot Mike

mikeg
  • 1
  • 1

1 Answers1

0

There are 2 ways for you to understand what directive is blocking what URL:

  1. Check your Firefox console log when you visit your site. Any CSP violation will be listed there
  2. Add a report-uri directive so that the browser can send CSP reports somewhere. I recommend the free service https://report-uri.io/
Julien
  • 1,038
  • 1
  • 13
  • 24
  • Could solve the issue. Line breaks in Firefox are no longer allowed in HTTP/2 [fxsitecompat.com](https://www.fxsitecompat.com/en-CA/docs/2015/line-breaks-in-http2-headers-are-no-longer-allowed/). – mikeg Aug 14 '17 at 06:18