content-security-policy

问题 I am using the js plugin that adds inside itself SVG images. I have added CSP policy to my website, but I can't configure it to allow plugin's code. Its code looks like: label=$("<object style='height:10px; width:10px;' type='image/svg+xml' data='data:image/svg+xml;charset=UTF-8," + "<svg xmlns=\"http://www.w3.org/2000/svg\">" + "<rect x=\"0\" y=\"0\" some parameters/>"+ "<text>SomeText</text></svg>'></object>"); el.html(label) I am looking for a configuration that allows SVG image that is

问题 I defined the CSP within meta tags in my Angulars project index.html file <meta http-equiv="Content-Security-Policy" content="default-src 'self'; connect-src 'self' https://baseurl1/ https://baseurl2/ https://baseurl3/; img-src 'self' data: http://baseurl/; frame-src 'self' blob:; media-src 'self' https://baseurl/; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://baseurl/; style-src 'self' 'unsafe-inline';"> My issue is, that I want to whitelist exactly one more connect-src dynamically

问题 I am wondering if it's possible to modify the Content-Security-Policy header that is set under <customHeaders> within web.config . I would like to inject a nonce value if possible. I am currently doing this but I need to remove the header from web.config entirely and add it via Application_BeginRequest() I have poked around global.asax to grab the header. It doesn't seem exist at this point in the pipe line. I can only assume it is injected later on? <customHeaders> <add name="Content

问题 I have the following content security policy set in my .htaccess file: default-src 'none'; \ form-action 'self'; \ frame-ancestors 'none'; \ font-src 'self' data: fonts.gstatic.com *.fontawesome.com; \ img-src 'self' data: www.google-analytics.com www.facebook.com; \ script-src 'self' 'unsafe-inline' www.google-analytics.com ssl.google-analytics.com www.google.com www.gstatic.com ajax.cloudflare.com www.googletagmanager.com connect.facebook.net *.fontawesome.com; \ style-src 'self' 'unsafe

问题 I have some custom HTTP response headers defined in an ASP.NET (Web Forms) website's web.config. I'm trying to write a managed HTTP module that can modify these web.config defined headers before they're sent back to the client. Unfortunately, whatever event I use (PreSendRequestHeaders, EndRequest) , the headers defined in web.config do not exist in the Response.Headers collection. I'm aware that PreSendRequestHeaders is not recommended so I also tried using Response.AddOnSendingHeaders but

问题 Ok, yes, it's 2020 but don't laugh. I'm trying update some ASP.NET web forms. My goal is to lock them down, making them more secure by applying a more restrictive Content Security Policy (CSP). To that end, I'm using a nonce, rather than allowing unsafe-inline for scripting. For "simple" web forms, it's working fine. However, I hit a problem whenever there's an asp control that results in a post back. When I look in the page source, I see stuff like this: <script type="text/javascript"> //<!

问题 Angular Version - 7.2 Environment - localhost IDE - Visual Studio Code Browser - Chrome Localhost Web Server - Express I have project built in angular framework and it is running with Express web-server in my localhost . I added the x-frame-options in the web.config but it is not showing up in the webpage response header. I want to test this change in the app running in localhost. Please suggest, how can i view this property in the response headers. Web.config code changes :- <httpProtocol>

问题 I deployed a react/express app to heroku and when going to here I get this error 'Refused to load the image 'https://nameless-sands-37753.herokuapp.com/favicon.ico' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.'. Here's what I tried: Added this to manifest.json: "content_security_policy": "default-src 'self' https://nameless-sands-37753.herokuapp.com/" Added this to

问题 This is my current script-src content security policy for my app: script-src 'self' 'unsafe-inline' https://maps.googleapis.com https://maps.gstatic.com; trying to load the following external js code: https://maps.googleapis.com/maps/api/js?key=${GOOGLE_API_KEY}&libraries=places&language=he using unsafe-inline it works, but probably unsafe, so I want to remove it in my code, but then it doesn't allow the script to run. tried to add to script-src a value such as https://maps.googleapis.com/*

问题 I am trying to integrate google+ API with my google chrome extension. My integration based on this quick start example introduced here: https://developers.google.com/+/quickstart/javascript I have migrated all inline javascript code to separate files, added content_security_policy line in my manifest.json file: "content_security_policy": "script-src 'self' https://www.googleapis.com/ https://plus.google.com/ https://apis.google.com/ https://accounts.google.com/ https://ssl.gstatic.com https:/