Stack Overflow
Stack Overflow

Questions tagged [content-security-policy]

Content Security Policy (CSP) aims to mitigate the risk of cross-site scripting attacks by giving developers fine-grained control over the resources a page is allowed to load, as well as the script it's allowed to execute.

Resources:

  • Mozilla Developer Network's short introduction, which includes a basic description of the policy as well as the goals of the policy.
  • A detailed tutorial which includes details on implementation, best practices, use cases, and speculation about the future of CSP.
  • A working draft for the precise specifications of CSP.
  • Information for Chrome Extension developers that includes how CSP affects extensions and other extension-specific information.
  • CSP support in frameworks
2619 questions
1
vote
0 answers

How to detect that iframe violates CSP

I'm working on an extension, which in injects an iframe with local content to a page. In Chrome it works fine, extensions there are not subjects to Content Security policy. However it is a problem with some pages in Safari. Therefore I need a way to…
dakov
  • 1,039
  • 2
  • 12
  • 33
1
vote
2 answers

Refused to connect to any URLs in Cordova android app

I am developing a Cordova Android mobile app. Using Sencha touch as UI framework. within the app im making web service calls. It used to work fine with old version of Cordova, recently upgraded the Cordova proj to 5.0.0, from then on not able to…
Rajesh Rs
  • 1,301
  • 5
  • 24
  • 48
1
vote
1 answer

CSP unsafe-eval using Google Maps API

Getting script-src 'unsafe-eval' error when trying to use Google Maps' API. Here's the console error: Uncaught EvalError: Refused to evaluate a string as JavaScript…
anthony-dandrea
  • 2,583
  • 7
  • 26
  • 46
1
vote
2 answers

Style-src CSP Errors with JQuery and Modernizr

When I remove unsafe-inline from script-src on my CSP headers I get multiple errors on Modernizr 2.8.3 and a error on JQuery 2.1.3. It's strange because I only get this error on one of my sites although I am using the same libraries on others with…
anthony-dandrea
  • 2,583
  • 7
  • 26
  • 46
1
vote
1 answer

In chrome packaged apps, Is there a way to declare multiple sandboxes, each one having its own content security policy?

I need to have sandboxes totally secured, others more "relaxed". I tried this in the manifest.json (doesn't work, but describes accurately what I need to do): ..., "sandbox": [ { "pages":[ "sandbox1.html" ], …
chris
  • 43
  • 5
1
vote
1 answer

Content Security Policy getJSON

I'm sorry for my english, I have this following code in my HTML: In my JS: $(document).ready(function() { …
Benoit Rastier
  • 63
  • 6
1
vote
2 answers

Code Access Security in Reporting Services 2008

I have a Delivery Extension running inside Reporting Service 2008. It has been running fine for a long time. But now I want to make an insert into a database from within the extension. First error I got, was this: Exception:…
MartinHN
  • 19,542
  • 19
  • 89
  • 131
1
vote
2 answers

Chrome Extension and Jenkins URL's

I'm currently trying to develop a chrome extension which is supposed to display data from different Jenkins servers. The url to the jenkins server is being entered by the user. So basically what I need is being able to access any kind of jenkins…
guyyst
  • 388
  • 1
  • 4
  • 16
1
vote
0 answers

Rework Function (capital F)

I am trying to get a Javascript speex library to run within a CSP protected environment. It runs great without CSP and I already fixed most "eval" problems. However - this one is giving me a headache: this.interpolate = Function("buffer",…
Michaela.Merz
  • 143
  • 10
1
vote
0 answers

How do I insert an iframe with dynamic HTTPS source from a Firefox extension?

We develop browser extensions for Google Chrome, Firefox and Safari. We need to insert an iframe in Gmail (https://mail.google.com/) in our Firefox extension. I created a JavaScript code that inserts the iframe to the page with jQuery. Here is the…
Uri
  • 2,992
  • 8
  • 43
  • 86
1
vote
1 answer

Making XHR requests in externally-loaded script (Gmail, Chrome 39.x, Content Security Policy)

When an externally-loaded script (in a Chrome extension intended to augment Gmail) tries to make an XHR / AJAX request, it fails. Refused to load the script 'https://.js?' because it violates the following Content Security Policy…
sergiokas
  • 349
  • 2
  • 4
1
vote
2 answers

Chrome v. 39 and Content-Security-Policy HTTP header

We recently discovered an interesting bug in newly released Chrome v.39. It just crashed with standard "Aw Snap!" message on every page with an iframe if that iframe loads a page with Content-Security-Policy HTTP header. This blocked out web-site…
YoMan78
  • 1,307
  • 2
  • 9
  • 15
1
vote
1 answer

Can Rails render forms w/o inline CSS for a stricter Content-Security-Policy?

I'd like to implement a Content Security Policy (CSP) that's as strict as possible. According to this intro on CSP, inline styles are bad (emphasis mine): Inline style is treated in the same way: both the style attribute and style tags should be…
awendt
  • 13,195
  • 5
  • 48
  • 66
1
vote
2 answers

Chrome Plugin and Content Security Policy errors

When uploading my unpacked Chrome extension, I get the following error: Could not load extension from '/Users/me/example'. Invalid value for 'content_security_policy': Both 'script-src' and 'object-src' directives must be specified (either…
dylst
  • 689
  • 8
  • 15
1
vote
1 answer

Separate inline javascript initialization logic from html for strict Content Security Policy

I would like to use a very strict Content Security Policy which does not allow inline Javascript. My views are rendered with php. All my Javascript Logic needed throughout the application is already external concatenated in one Javascript file…
griesi
  • 370
  • 3
  • 12
1 2 3
99
100