content-security-policy

问题 I'm getting the error below in the console of my browser: Content Security Policy: The page’s settings blocked the loading of a resource at http://localhost:3000/favicon.ico (“default-src”). I searched online and saw that this should be fixed with the snippet of code below: <meta http-equiv="Content-Security-Policy" content="default-src *; img-src * 'self' data: https: http:; script-src 'self' 'unsafe-inline' 'unsafe-eval' *; style-src 'self' 'unsafe-inline' *"> I added this to my front-end

问题 Background I have to use a Content Security Policy for a react application. The reason, that is however not of a big matter here, is, that I am creating a WebExtension/Browser Extension/add-on and these do have such a content security policy, and there things like 'unsafe-eval' and 'unsafe-inline' are strictly disallowed: extensions with 'unsafe-eval', 'unsafe-inline', remote script, blob, or remote sources in their CSP are not allowed for extensions listed on addons.mozilla.org due to major

问题 Background I have to use a Content Security Policy for a react application. The reason, that is however not of a big matter here, is, that I am creating a WebExtension/Browser Extension/add-on and these do have such a content security policy, and there things like 'unsafe-eval' and 'unsafe-inline' are strictly disallowed: extensions with 'unsafe-eval', 'unsafe-inline', remote script, blob, or remote sources in their CSP are not allowed for extensions listed on addons.mozilla.org due to major

问题 I'm trying to override the Content Security Policy using a specific meta tag for some pages. I've been trying for a couple of hours, but I've not succeed yet. Is there a way to override CSP from the page itself (using JavaScript or meta tags) without having to modify the server configuration? Thank you. 回答1: No. For security reasons the meta tag can only make the policy more strict, not to relax the policy defined in the headers. If the meta tag could relax the policy, CSP would have no teeth

问题 I would like to render an iframe with the source being Github like so: <iframe src="https://gist.github.com/user45445/9bf8d568e3350146ba302d7d67ad576f"> </iframe> This is the error I get in the console: Refused to display 'https://gist.github.com/fresh5447/9bf8d568e3350146ba302d7d67ad576f' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'". I was researching how to specify my Content Security Policy in my Node server, to specify

问题 I have a bookmarklet which uses jQuery and parses some elements on the page. To use jQuery, i am creating a script tag(with src as the jQuery URL) dynamically and appending to the head tag. This works well for many sites. But, there are few sites like Facebook, for which the bookmarklet is not able to inject the external JS file into the dom.I came to know that this behaviour is because of the response header "Content Security Policy" which prohibits the inclusion of scripts from any other

问题 I noticed that GitHub and Facebook are both implementing this policy now, which restricts third party scripts from being run within their experience/site. Is there a way to detect whether a document is running against CSP using JavaScript ? I'm writing a bookmarklet, and want to give the user a message if they're on a site that doesn't support embedding a script tag. 回答1: What about this. For slow connections, the timeout should probably be raised. Onload is what I used to detect it and it

问题 I have a large, legacy codebase that I'd like to introduce the Content-Security-Policy header on. It is not feasible in the short term to truly lock-down the site (for example, there are inline scripts all over the place that have no automated test coverage), but at least I can start by forbidding access to content sources that I know for sure aren't in use currently and then slowly ratchet it down over time. Unfortunately, the list of sources that aren't being used is rather short. This was

问题 Content Security Policy specification says The frame-ancestors directive obsoletes the X-Frame-Options header. If a resource has both policies, the frame-ancestors policy SHOULD be enforced and the X-Frame-Options policy SHOULD be ignored. So from my understanding if both Content-Security-Policy and X-Frame-Options headers are present, then X-Frame-Options should be ignored. I have a web app with both headers, and looks like Firefox 38 is ignores Content-Security-Policy header and uses X

问题 We're working on creating a strict Content Security Policy (https://csp.withgoogle.com/docs/strict-csp.html) which necessitates Apache creating a nonce each time a resource is requested, so that we can insert this nonce into the http header. How can we create a nonce with Apache 2.4? All of the CSP related documentation I've read says something to the effect of "A nonce is just a random string that's generated on the server, included in the CSP header..." but haven't found any info on how to