Stack Overflow
Stack Overflow

Questions tagged [content-security-policy]

Content Security Policy (CSP) aims to mitigate the risk of cross-site scripting attacks by giving developers fine-grained control over the resources a page is allowed to load, as well as the script it's allowed to execute.

Resources:

  • Mozilla Developer Network's short introduction, which includes a basic description of the policy as well as the goals of the policy.
  • A detailed tutorial which includes details on implementation, best practices, use cases, and speculation about the future of CSP.
  • A working draft for the precise specifications of CSP.
  • Information for Chrome Extension developers that includes how CSP affects extensions and other extension-specific information.
  • CSP support in frameworks
2619 questions
1
vote
1 answer

Show Content Security Policy at app startup

I am trying to setup the CSP and Ember is doing something funny, difficult to describe what. I am rightly configuring one part, and it is failing in another part. Or suddenly, livereload is blocked. Or it says that script-src is not defined, and…
blueFast
  • 41,341
  • 63
  • 198
  • 344
1
vote
1 answer

Cordova, Content-Security-Policy: within iframe getting error as deviceready has not fired after 5 seconds

i recently upgraded my Cordova application from 2.9.0 to current version 5.4, since all know there is huge difference in project structure from cordova 2.9 to 5.4 i followed several online tutorials and upgrade my app. And i'm able to get the app…
Juno
  • 63
  • 5
1
vote
1 answer

How to get a function from a string without using eval/new Function (CSP)

I have a string that looks something like this: var codeStr = "function a(){alert(4);}" and I want to turn that into a function. I can do this using eval or new Function, for example: var fn = eval(codeStr); But when the content-security-policy is…
ColBeseder
  • 3,579
  • 3
  • 28
  • 45
1
vote
1 answer

Is it possible to create a content security policy that allows all websites to be accessed?

I have been having problems with scripts not getting loaded because of problems with content security policy settings and was wondering if there was a way to set a content security policy so that it lets all websites be accessible for downloading…
Bill Noble
  • 6,466
  • 19
  • 74
  • 133
1
vote
2 answers

Exceptions in the chrome console when "Content-Security-Policy" is used

I use Content-Security-Policy:default-src 'self' header on my web page. Chome throws error in the console when I load this page with enabled "Grammarly" chrome extension: Refused to load the font…
Andriy Kuba
  • 8,093
  • 2
  • 29
  • 46
1
vote
0 answers

requirejs -- how to add request headers to calls that load script files

I am using requirejs in my GUI app. So all my script files are managed by the require library. Now I am required to add a request header like "script-src" with a suitable value, in order to meet the Content-Security-Policy as defined here:…
Mopparthy Ravindranath
  • 3,014
  • 6
  • 41
  • 78
1
vote
1 answer

How to work around Chrome's XSS auditor false positive with Content-Security-Policy?

There exists a known false positive in the Google Chrome XSS Auditor concerning a textarea with some js-ish text, for example action="": The XSS Auditor refused to execute a script in 'https://www.dokuwiki.org/sandbox:chrome_xss_auditor?do=edit'…
Michael Große
  • 1,818
  • 1
  • 16
  • 20
1
vote
1 answer

Embed website with iframe in meteor cross domain

A little problem, I could not find a solution for: The meteor application works in a local network: Served on app.local:3000 A website (Wordpress, Apache) will be the iframe src So this is what it looks in meteor: