Stack Overflow
Stack Overflow

Questions tagged [content-security-policy]

Content Security Policy (CSP) aims to mitigate the risk of cross-site scripting attacks by giving developers fine-grained control over the resources a page is allowed to load, as well as the script it's allowed to execute.

Resources:

  • Mozilla Developer Network's short introduction, which includes a basic description of the policy as well as the goals of the policy.
  • A detailed tutorial which includes details on implementation, best practices, use cases, and speculation about the future of CSP.
  • A working draft for the precise specifications of CSP.
  • Information for Chrome Extension developers that includes how CSP affects extensions and other extension-specific information.
  • CSP support in frameworks
2619 questions
54
votes
3 answers

How to use React without unsafe inline JavaScript/CSS code?

Background I have to use a Content Security Policy for a react application. The reason, that is however not of a big matter here, is, that I am creating a WebExtension/Browser Extension/add-on and these do have such a content security policy, and…
rugk
  • 4,755
  • 2
  • 28
  • 55
52
votes
3 answers

Injecting iframe into page with restrictive Content Security Policy

I want to create a browser extension which creates a sidebar. Chrome does not have a first-class sidebar, and so we must instead put an iframe in the page. However, this breaks on many pages due to content security policy. E.g. GitHub uses a CSP,…
Ben McCann
  • 18,548
  • 25
  • 83
  • 101
51
votes
1 answer

Content-Security-Policy object-src blob

When using a content-security-policy and I try to follow a process in Chrome 41 (beta) using window.URL.createObjectURL I get an error like the following: Refused to load plugin data from…
Brian M. Hunt
  • 81,008
  • 74
  • 230
  • 343
47
votes
2 answers

Content security policy including a script

I need to include this script https://apis.google.com/js/api:client.js in my website. On Google Chrome it works fine, but on Firefox (and IE obviously), I get some errors: Content Security Policy: Ignoring “‘unsafe-inline’” within script-src:…
Mattia Billa
  • 471
  • 1
  • 4
  • 4
46
votes
6 answers

Chrome Extension - Content Security Policy - executing inline code

I am using an external JavaScript lib in my chrome extension. I has inline execution, so I get following kind of error (The error I get on console) Refused to execute JavaScript URL because it violates the following Content Security Policy…
Amit G
  • 2,293
  • 3
  • 24
  • 44
44
votes
2 answers

Script causes “Refused to execute inline script: Either the 'unsafe-inline' keyword, a hash… or a nonce is required to enable inline execution”

I keep getting this error: Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' data: gap: http://www.visitsingapore.com https://ssl.gstatic.com 'unsafe-eval'". Either the…
Yi Kiat
  • 441
  • 1
  • 4
  • 6
44
votes
5 answers

Make Angular working with restrictive Content Security Policy (CSP)

I cannot make base Angular2 (final) application works with the following restrictive CSP. default-src 'none'; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self' data:; connect-src 'self' There are one unsafe-eval error in lang.js…
Nicolas Henneaux
  • 11,507
  • 11
  • 57
  • 82
44
votes
4 answers

Google Adwords CSP (content security policy) img-src

What domains/protocols in the img-src directive of the Content-Security-Policy header are required to allow Google AdWords conversion tracking? From testing, when we call google_trackConversion, it looks like the browser creates an image with a src…
Michal Charemza
  • 25,940
  • 14
  • 98
  • 165
43
votes
4 answers

Chrome version 18+: How to allow inline scripting with a Content Security Policy?

Chrome 18 Dev/Canary has just been released, and content_security_policy will be needed in the manifest for certain extensions. I'm trying to get a CSP working for inline scripting, but I don't know if I'm doing something wrong or if this is a…
Chris McFarland
  • 6,059
  • 5
  • 43
  • 63
43
votes
4 answers

Content-Security-Policy in ASP.NET WebForms

I'm looking for a good way to implement a relatively strong Content-Security-Policy header for my ASP.NET WebForms application. I'm storing as much JavaScript as possible in files instead of inline, but by default, WebForms injects a lot of inline…
Andy
  • 636
  • 1
  • 6
  • 16
41
votes
2 answers

What does CSP protect us if allowing unsafe-inline

Currently I'm defining Content Security Policy (CSP) as below; Header set Content-Security-Policy: "default-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;" Considering the CSP definition…
Zernel
  • 1,487
  • 2
  • 15
  • 27
40
votes
1 answer

Content security policy for frame. frame-src vs frame-ancestors

What do frame-src and frame-ancestors do exactly? The definition shows the purpose is the same to define valid contents for frames for both directives. When to use which one? I was able to load an external domain content in iframe using…
Nishant Baranwal
  • 1,048
  • 1
  • 10
  • 18
39
votes
5 answers

Refused to load the image 'blob:...' because it violates the following Content Security Policy

I got this error: Refused to load the image 'blob:file:///cf368042-bf23-42b6-b07c-54189d3b0e01' because it violates the following Content Security Policy directive: "default-src * 'self' 'unsafe-inline' 'unsafe-eval' data: gap: content:". Note that…
Raz Buchnik
  • 7,753
  • 14
  • 53
  • 96
39
votes
4 answers

How to generate a nonce in node.js?

I need to generate a nonce (number generated only once) to remove the CSP rule 'unsafe-inline' and all the trusted URLs for scripts, improving the CSP score. Thus I need to have in the HTML