Questions tagged [content-security-policy]
25 questions
14
votes
1 answer
Refused to frame '' because it violates the following Content Security Policy directive: "frame-src *"
I have found many solutions to various situations with "refused to xyz" due to Content-Security-Policy Settings.
However I can't seem to find what might be wrong if '' gets refused.
The literal error message in the browser is
Refused to frame ''…
Worp
- 327
- 1
- 4
- 15
5
votes
0 answers
Client-side caching when using CSP with nonces in nginx - how do you use weak caching validators/etags?
I'm using nginx's expires directive; its etag directive as well as the Last-Modified header (if I understand correctly) are on by default.
In order to allow specific inline JavaScripts when using restrictive Content Security Policy (CSP) headers…
Christian
- 151
- 3
3
votes
0 answers
How to configure Content-Security-Policy for Nginx and Drupal 8?
I have a Nginx server with Ubuntu 18.04 and a Drupal 8 site.
I have read on several articles that should not use 'unsafe-eval', 'unsafe-inline'
I added headers for security but the pages of the site are no longer loaded correctly.
Here is my Nginx…
Mathieu
- 31
- 1
- 3
3
votes
1 answer
How to create a CSP nonce and yet continue website caching?
I am not getting any response to any way I try to phrase this question, so I keep trying. I feel I've got to be missing something, but I've searched and searched. Why isn't it obvious? Why is it so hard to get an answer?
We are told we should use a…
jamminjames
- 71
- 7
3
votes
0 answers
What is the solution to caching vs using a CSP nonce? I've been searching for a while, and haven't found it
I've never seen a good answer to this dilemma, and I've been searching high and low. It seems it is a choice between using a nonce and caching, you can't have both. Really bad choice!
We're told 'unsafe-inline' is a really bad choice in CSP, and yet…
jamminjames
- 71
- 7
2
votes
0 answers
Images on wordpress arent loading
I've recently installed a clean wordpress installation on my Ubuntu 18.04 LTS Server using nginx. Now i'm running into an error, when I've uploaded my images, I cant see them on the page.
Thats what the network console is giving me in my…
Yeriwen
- 21
- 3
2
votes
2 answers
How to determine CSP for Wordpress
I'm trying to implement Content-Security-Policy headers for Wordpress but am having trouble identifying all the URL's it needs access to. Specifically, I have tried adding the header:
Header always set Content-Security-Policy "default-src 'self'…
srkiNZ84
- 571
- 1
- 6
- 10
2
votes
0 answers
Implementing Content-Security-Policy on Apache 2.2
On Apache 2.2 I'm about to set up Content-Security-Policy to allow browsers coming from one particular domain to load data into iframes from a certain virtual host.
$ httpd -S
VirtualHost configuration:
Syntax OK
$ httpd -S -v
Server version:…
Rolf
- 21
- 4
2
votes
1 answer
Google Cloud Services Content Security Policy Issues
I have a static web site hosted in a bucket that I serve up via the Google Platform.
This site has been running with no problems for about 6 months but over the last month I have had intermittent problems with it not loading style sheets and scripts…
evoelise
- 53
- 1
- 5
1
vote
1 answer
How do allow fontawesome as a style-src in my Content-Security-Policy?
I'm trying to set my Content-Security-Policy header in .htaccess.
I've already tried a variation of the answer to this post but it doesnt work. All my fontawesome icons are broken.
Header always set Content-Security-Policy: "default-src 'self';…
jarrodwhitley
- 113
- 1
- 4
1
vote
3 answers
How to inject random CSP nonce in APACHE?
I want to add the following CSP directive in APACHE because I want it to be applied on every page.
Content-Security-Policy: script-src 'strict-dynamic' 'nonce-{random}'…
user3526609
- 111
- 1
- 4
1
vote
1 answer
Can CSP reports be configured to exclude known blacklisted ressources?
When i use a Content-Security-Policy knowing that it will (and should) block some elements, is there a way to get reports for all violations except these?
I get for example hits from a script that is inserted from some kaspersky product. It's great…
allo
- 1,620
- 2
- 22
- 39
1
vote
0 answers
Editing Content Security Policy in IIS to allow a CDN script to be loaded
I am currently trying to load an external plugin into an application that is deployed on IIS.
I am getting this error:
Refused to load the script 'https://cdn.babylonjs.com/loaders/babylon.glTFFileLoader.js' because it violates the following Content…
Samir Kassem
- 11
- 2
1
vote
0 answers
Nginx, webP, and a strict content security policy (SCP) on a LEMP Server
I am attempting to create a strong and secure content-security-policy in nginx, running a wordpress based LEMP Server. I believe I am using the ngx_pagespeed.so module, and have implemented FastCGI on my server. I believe one of these features…
DanRan
- 73
- 1
- 3
- 22
1
vote
1 answer
Possible to create policy limiting firewall rules in GCP?
Does anyone know if it's possible to create an organizational policy that would prevent the use of having a source set to 'any' for specific ports on firewall rules in GCP?
For example, I want to prevent users from creating firewall rules that use…
user3723206
- 13
- 2