nginx Content-Security-Policy Header still blocking bootstrapcdn

Question

I have the following in my nginx.conf

add_header Content-Security-Policy 
    "default-src 'self'; 
    img-src 'self' 'unsafe-inline' 'unsafe-eval' data: *.printfriendly.com *.w.org *.gravatar.com *.vimeocdn.com; 
    script-src 'self' 'unsafe-inline' 'unsafe-eval' *.w.org *.gravatar.com *.googleapis.com *.jsdelivr.net *.printfriendly.com *.kxcdn.com *.vimeocdn.com *.hs-analytics.net *.securitymetrics.com *.google-analytics.com; 
    style-src 'self' 'unsafe-inline' *.googleapis.com *.bootstrapcdn.com *.gstatic.com *.vimeocdn.com; 
    font-src 'self' data: *.googleapis.com *.bootstrapcdn.com *.gstatic.com *.googleapis.com; 
    frame-src 'self' *.vimeocdn.com *.vimeo.com; 
    object-src 'self'";

(i had to multi-line it to make it legible...)

However, in my site I am still getting this error:

Content Security Policy: The page’s settings blocked the loading of a resource at http://netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css (“style-src”).

Any ideas why this may be happenning, when it is whitelisted above?

Where have you used this in your `nginx` config? Do remember that adding another `add_header` anywhere will discard this one if not in the same block — Tarun Lalwani, May 13 '18 at 16:55
Can you also try adding `always` at the end of the of your `add_header` directive, just before the `;` and see if that helps? @Kevin — Tarun Lalwani, May 15 '18 at 06:54

ruvim · Accepted Answer · 2022-01-27T08:37:36.177

As @tarun-lalwani mentioned, any add_header directive in another blocks can matter. More precisely, if add_header (for any header) is used in a descendant block, this Content-Security-Policy will be discarded in such descendant block.

An excerpt from the documentation:

These directives are inherited from the previous level if and only if there are no add_header directives defined on the current level.

To avoid code copy (DRY) the variables or include directive can be used (or generating nginx config in extensive case).

Just in case, in a real config a multi-line header value should not be used. Check your server response via curl -I https://example.com/path. For better readability in the config the variables can be used.

Example:

set $CSP_image  "img-src      'self' 'unsafe-inline' 'unsafe-eval' data: *.printfriendly.com *.w.org *.gravatar.com *.vimeocdn.com; ";
set $CSP_script "script-src   'self' 'unsafe-inline' 'unsafe-eval' *.w.org *.gravatar.com *.googleapis.com *.jsdelivr.net *.printfriendly.com *.kxcdn.com *.vimeocdn.com *.hs-analytics.net *.securitymetrics.com *.google-analytics.com; ";
set $CSP_style  "style-src    'self' 'unsafe-inline' *.googleapis.com *.bootstrapcdn.com *.gstatic.com *.vimeocdn.com; ";
set $CSP_font   "font-src     'self' data: *.googleapis.com *.bootstrapcdn.com *.gstatic.com *.googleapis.com; ";
set $CSP_frame  "frame-src    'self' *.vimeocdn.com *.vimeo.com; ";
set $CSP_object "object-src   'self' ; ";
set $CSP        "default-src  'self' ; ${CSP_image} ${CSP_script} ${CSP_style} ${CSP_font} ${CSP_frame} ${CSP_object}";

add_header Content-Security-Policy $CSP;

appreciate the readability :) However, there are no other headers set. — Kevin, May 14 '18 at 21:22
@kevin, can you see the CSP header in output from `curl`? If yes — the issue is not in nginx configuration. If no — you need to debug your config step by step. Don't forget to reload the config by `nginx -s reload`. To get further help you have to publish your config (for example, on pastebin.com). — ruvim, May 14 '18 at 21:46
I can see them in curl output. And like the good tool that I am, I completely overlooked the fact that the resource I have in the question is http:// and not https:// Which, I would bet is what the issue is — Kevin, May 16 '18 at 13:50
I have just implemented this example and it's working brilliantly. Thankyou — Scratcha, Feb 15 '20 at 14:42

nginx Content-Security-Policy Header still blocking bootstrapcdn

1 Answers1