Stack Overflow
Stack Overflow

Questions tagged [content-security-policy]

Content Security Policy (CSP) aims to mitigate the risk of cross-site scripting attacks by giving developers fine-grained control over the resources a page is allowed to load, as well as the script it's allowed to execute.

Resources:

  • Mozilla Developer Network's short introduction, which includes a basic description of the policy as well as the goals of the policy.
  • A detailed tutorial which includes details on implementation, best practices, use cases, and speculation about the future of CSP.
  • A working draft for the precise specifications of CSP.
  • Information for Chrome Extension developers that includes how CSP affects extensions and other extension-specific information.
  • CSP support in frameworks
2619 questions
1
vote
1 answer

AngularJS CSP does not work in Chrome

I have an application that is written using Tomcat and AngularJS (v1.2.14). In web.xml I set the ContentSecurityFilter on /* and then in configuration set the policy rules to allow same origin, allow eval and allow unsafe inline. I have mapped…
Pinny
  • 206
  • 2
  • 10
1
vote
2 answers

https request in chrome packaged app (java script)

I'm trying to send a request from chrome packaged app: $.ajax({ url: "https://accounts.google.com/o/oauth2/auth?client_id=xxxapps.googleusercontent.com&response_type=id_token&scope=openid%20email",…
31415926
  • 3,811
  • 7
  • 47
  • 78
1
vote
1 answer

Authorise mixed content tag?

i have an issue with mixed-content (http/https) blocking. I have three subdomains "a", "b" and "c". Only b is available over SSL. I have a web application with the following frame structure: Navigate to http://a.example.com Page contains an iframe…
mappu
  • 329
  • 2
  • 16
1
vote
2 answers

Is it possible to bypass CSP when injecting js in the page from a Firefox plugin?

I have a firefox plugin that used to interact with github's web app by injeting some javascript in the page (by creating a element under the head element, and setting its innerHTML value to the javascript to be executed). However, it just stopped…
FullOfCaffeine
  • 539
  • 1
  • 6
  • 22
1
vote
0 answers

Using https url with ajax in a Chrome extension popup

I can't seem to find the solution for this anywhere. I'm making a Chrome extension for submitting data to another service and its functionality is based on a third-party API that is located on a secure url. The problem is that I can't get the https…
dTilen
  • 97
  • 2
  • 12
1
vote
1 answer

No inlined script, still getting "Refused due to Content Security Policy directive: "script-src 'self'"

I'm trying to create a Google Reader-like browser action extension for Chrome, to be used with a different RSS reader I've got access to the API for. This produces X number of links in the browser action, each of which needs to open a new tab with…
Tickolas
  • 113
  • 3
  • 15
1
vote
1 answer

Video Stream Hosting

Good day! I'm a newbie on video streaming. Can you help me find good ways on how to make a video streaming secure? I'm having some issues on my video hosting project security. I am creating a web page which calls a video stream hosted on a different…
Rovie Roy Cabasisi
  • 13
  • 2
1
vote
1 answer

POST request on Facebook.com in Chrome Extension fails

I have a Chrome Extension that sends AJAX POST with some data on every page. The problem is that, Facebook block the AJAX request resulting this: Refused to connect to 'URL_HERE' because it violates the following Content Security Policy…
Kab Mikua
  • 9
  • 7
1
vote
1 answer

X-Content-Security-Policy-Report-Only not working in Firefox 20

I have the following Content Security Policy defined: X-Content-Security-Policy-Report-Only: default-src 'self'; report-uri /foo If I change that to X-Content-Security-Policy, the policy gets enforced and the report is sent. However, when I set it…
Colselaw
  • 1,069
  • 9
  • 21
1
vote
1 answer

Eval() isn't executed in Chrome when using Content-Security-Policy-Report-Only

When using the report-only mode of the Content-Security-Policy, Chrome does not execute eval() anymore. For the following example, I would expect to get 2 reports (one for the inline-script and one for the eval) and also, to see a pop-up. But only…
user2144597
  • 61
  • 4
1
vote
2 answers

Content Security Policy with Chrome Extensions - Getting data via remote URL

I've made a chrome extension with the following line in the manifest.json, so that I can get data via an ajax request. "content_security_policy": "script-src 'self' http://localhost; object-src 'self'", I want to test the extension with my live…
xylar
  • 7,433
  • 17
  • 55
  • 100
1
vote
1 answer

How to allow Remote Script from every web site with Content Security Policy -CSP?

I read about Content Security Policy from: http://developer.chrome.com/extensions/contentSecurityPolicy.html It is mentioned there that: "If you have a need for some external JavaScript or object resources, you can relax the policy to a limited…
Gorden Gram
  • 921
  • 2
  • 10
  • 14
1
vote
2 answers

Content Security Policy in IE support

I am aware of Content Security Policy as a new feature build into IE10. Wondering if there is any 3rd party vendors providing implementation thru add-on(BHO) for IE9 and older version? Thanks,
user1801948
  • 21
  • 2
1
vote
0 answers

Chrome extension manifest version 2 API call error

I am getting the following error when I am trying to connect to StackOverflow API to fetch data: Refused to load the script…
Meir
  • 91
  • 2
  • 6
1
vote
1 answer

Chrome extension with iframe: Domains, protocols and ports must match

Manifesto version 2 and his new content_security_policy is now necessary for chrome extension. I read some docs about 'sandbox mode" which seems to be a workaround for inline javascripts, but I still have a big issue. After some refactoring, I got…
JulienA
  • 11
  • 1
  • 2
1 2 3
99
100