Questions tagged [content-security-policy]
24 questions
12
votes
1 answer
Refused to frame '' because it violates the following Content Security Policy directive: "frame-src *"
I have found many solutions to various situations with "refused to xyz" due to Content-Security-Policy Settings.
However I can't seem to find what might be wrong if '' gets refused.
The literal error message in the browser is
Refused to frame ''…
Worp
- 287
- 1
- 4
- 15
4
votes
0 answers
Client-side caching when using CSP with nonces in nginx - how do you use weak caching validators/etags?
I'm using nginx's expires directive; its etag directive as well as the Last-Modified header (if I understand correctly) are on by default.
In order to allow specific inline JavaScripts when using restrictive Content Security Policy (CSP) headers…
Christian
- 141
- 3
3
votes
0 answers
How to configure Content-Security-Policy for Nginx and Drupal 8?
I have a Nginx server with Ubuntu 18.04 and a Drupal 8 site.
I have read on several articles that should not use 'unsafe-eval', 'unsafe-inline'
I added headers for security but the pages of the site are no longer loaded correctly.
Here is my Nginx…
Mathieu
- 31
- 1
- 3
2
votes
0 answers
Images on wordpress arent loading
I've recently installed a clean wordpress installation on my Ubuntu 18.04 LTS Server using nginx. Now i'm running into an error, when I've uploaded my images, I cant see them on the page.
Thats what the network console is giving me in my…
Yeriwen
- 21
- 3
2
votes
2 answers
How to determine CSP for Wordpress
I'm trying to implement Content-Security-Policy headers for Wordpress but am having trouble identifying all the URL's it needs access to. Specifically, I have tried adding the header:
Header always set Content-Security-Policy "default-src 'self'…
srkiNZ84
- 531
- 1
- 6
- 10
2
votes
1 answer
How to create a CSP nonce and yet continue website caching?
I am not getting any response to any way I try to phrase this question, so I keep trying. I feel I've got to be missing something, but I've searched and searched. Why isn't it obvious? Why is it so hard to get an answer?
We are told we should use a…
jamminjames
- 41
- 3
2
votes
1 answer
Google Cloud Services Content Security Policy Issues
I have a static web site hosted in a bucket that I serve up via the Google Platform.
This site has been running with no problems for about 6 months but over the last month I have had intermittent problems with it not loading style sheets and scripts…
evoelise
- 43
- 4
1
vote
1 answer
How do allow fontawesome as a style-src in my Content-Security-Policy?
I'm trying to set my Content-Security-Policy header in .htaccess.
I've already tried a variation of the answer to this post but it doesnt work. All my fontawesome icons are broken.
Header always set Content-Security-Policy: "default-src 'self';…
jarrodwhitley
- 113
- 1
- 4
1
vote
2 answers
How to inject random CSP nonce in APACHE?
I want to add the following CSP directive in APACHE because I want it to be applied on every page.
Content-Security-Policy: script-src 'strict-dynamic' 'nonce-{random}'…
user3526609
- 111
- 1
- 4
1
vote
1 answer
Can CSP reports be configured to exclude known blacklisted ressources?
When i use a Content-Security-Policy knowing that it will (and should) block some elements, is there a way to get reports for all violations except these?
I get for example hits from a script that is inserted from some kaspersky product. It's great…
allo
- 1,524
- 1
- 19
- 35
1
vote
0 answers
Nginx, webP, and a strict content security policy (SCP) on a LEMP Server
I am attempting to create a strong and secure content-security-policy in nginx, running a wordpress based LEMP Server. I believe I am using the ngx_pagespeed.so module, and have implemented FastCGI on my server. I believe one of these features…
DanRan
- 73
- 1
- 1
- 12
1
vote
0 answers
What is the solution to caching vs using a CSP nonce? I've been searching for a while, and haven't found it
I've never seen a good answer to this dilemma, and I've been searching high and low. It seems it is a choice between using a nonce and caching, you can't have both. Really bad choice!
We're told 'unsafe-inline' is a really bad choice in CSP, and yet…
jamminjames
- 41
- 3
1
vote
0 answers
Implementing Content-Security-Policy on Apache 2.2
On Apache 2.2 I'm about to set up Content-Security-Policy to allow browsers coming from one particular domain to load data into iframes from a certain virtual host.
$ httpd -S
VirtualHost configuration:
Syntax OK
$ httpd -S -v
Server version:…
Rolf
- 11
- 4
0
votes
2 answers
Setting SElinux Labels for a magento site on Centos 7
I was hoping someone could kindly help myself. I have a Magento site running on a Centos 7.6 server.
Now, the site is not correctly loading and looking in the messages.log I see numerous entries where SElinux is blocking access. I am able to…
Vaishal Patel
- 113
- 5
0
votes
3 answers
Content-Security-Policy for Exchange 2016
I would like to add Content-Security-Policy headers for Exchange 2016 for /owa and /ecp.
Being well aware that a "too restrictive" Content-Security-Policy header can break both /owa and /ecp, is there a known working least permissive set for…
shouldbeq931
- 509
- 4
- 15