12

I have Java-based based web application running on Tomcat 6. My application is running on localhost and port 9001.

To make my application more secure and to reduce the risk of XSS attacks, I added the header Content-Security-Policy with value default-src * 'unsafe-inline' 'unsafe-eval';script-src 'self'. With this I want to allow the web application to load the JavaScript files from same domain.

For other resources it continues to load in the same fashion as it was without this header.

But I am getting the below error.

Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src http://localhost:9001").
Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
emilly
  • 10,060
  • 33
  • 97
  • 172
  • I'm not sure if this is causing the error you're seeing, but your `default-src` looks overly full: "Multiple source list values can be space seperated _with the exception of `*` and `none` which should be the only value_." (emphasis, mine) http://content-security-policy.com/#source_list – kuporific Oct 31 '15 at 16:17
  • @kuporific sorry I did not get this. What should be the value in my case then ? – emilly Oct 31 '15 at 16:19
  • I had this problem when working with helmet library in nodejs, take a look at my answer in another post: https://stackoverflow.com/a/70054564/11704057 – M22 Nov 21 '21 at 12:36

2 Answers2

5

The Content Security Policy header is a white list of trusted sources.

The default-src list is the list used by all other *-src lists. If it is not present, the default is default-src: * which means "all content is allowed from anywhere", which does not provide any protection against XSS.

Therefore, you should start with

  • default-src none, so that all content is disallowed, or
  • default-src 'self', so that only content from your domain is allowed.

After that, other *-src can be replaced as needed. For example, the following trusts self for everything except images, and images are only allowed from example.com (but not from 'self'):

default-src 'self'; img-src example.com;

In your question, you specify default-src * 'unsafe-inline' 'unsafe-eval'; which might be causing the issue since * already implies 'unsafe-inline' and 'unsafe-eval'. It's like saying "allow everything and allow inline and allow eval".

Also note that CSP is supported via the X-Content-Security-Header in IE >= 8.

Sources:

kuporific
  • 10,053
  • 3
  • 42
  • 46
  • I tried just script-src 'self' but it did not make any difference as I still get same error – emilly Oct 31 '15 at 17:48
  • Is there a way I can tell loading resource irrespective of protocol . I mean I want to load javascript resource from both `https://www.google-analytics.com http://www.google-analytics.com`. How can I do that ? – emilly Nov 01 '15 at 07:45
-5

Try:

default-src * 'unsafe-inline' 'unsafe-eval';script-src 'self' 'unsafe-inline' 'unsafe-eval'
Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
M Sach
  • 33,416
  • 76
  • 221
  • 314
  • @haywire It does look like an attempt to answer the question. It's a little thin, yes, but if you think, this answer is wrong or incomplete, you can downvote it. – Artjom B. Nov 01 '15 at 16:54
  • 8
    Please consider editing your post to add more explanation about what your code does and why it will solve the problem. An answer that mostly just contains code (even if it's working) usually wont help the OP to understand their problem. It's also recommended that you don't post an answer if it's just a guess. A good answer will have a plausible reason for why it could solve the OP's issue. – Drenmi Nov 01 '15 at 19:29