content-security-policy

Content Security Policy on Mozilla extension

穿精又带淫゛_ 提交于 2019-12-10 10:32:15
问题 I have an extension in both Mozilla and Chrome, in my extension I make a call to a remote JS file. To avoid the CSP in Chrome, I add the rule to manifest.json and my file goin over HTTPS so everything is perfect. But in Mozilla, I could not find out how to load the JS. Even over https dont work. The only thing I found on this was another question here on Stackoverflow: How to add Content Security Policy to Firefox extension, but are not sure where to insert that code, my extension its very

Does Content Security Policy's connect-src directive allow you to make cross domain requests?

可紊 提交于 2019-12-10 02:32:55
问题 Does specifying a connect-src directive in your content security policy relax the browser's same origin policy and allow you to make cross origin XHR requests? Or is this directive only used to limit already legal XHR (i.e. same origin calls or calls enabled by CORS)? 回答1: The connect-src directive does not relax the same-origin policy; it simply specifies a list of source to which you can connect, assuming that the browser will already allow you to connect to them (via CORS, for instance).

“inline-style”-Error with Content Security Policy and Javascript

孤人 提交于 2019-12-08 17:01:25
I turned on Content Security Policy on my server with this command in my Apache2-configuration: Header set Content-Security-Policy-Report-Only "default-src 'self'" (I set it to ...-Report-Only to only report errors, without really blocking something while developing.) This setting produces an error that I don't understand. But I can reproduce it: This is the simplified html-code: <!DOCTYPE HTML> <html lang="en"> <head> <script src="/js/test.js"></script> <title>test</title> </head> <body></body> </html> As you see, no inline-script and no inline-style (no style at all) and a completely empty

Content Security Policy directive: “img-src data:” error

走远了吗. 提交于 2019-12-08 10:54:02
问题 I'm testing my Angular 5 app on github pages, and whenever I reload a page other than index.html, I get this error: Refused to load the image 'https://sebamed.github.io/favicon.ico' because it violates the following Content Security Policy directive: "img-src data:". Also, when I try to access the '404' error page, I get the same message. Now, I tried several solutions on this, but none of them seems to do a job. I even added this to my index.html: <meta http-equiv="Content-Security-Policy"

CSP rules applied differently to SVG in Firefox

陌路散爱 提交于 2019-12-08 07:36:47
问题 I have HTML document with Content Security Policy. <meta http-equiv="Content-Security-Policy" content="style-src 'self'"> I create SVG element, set style property and append the element to the document. const el = document.createElementNS('http://www.w3.org/2000/svg', 'svg'); el.style.background = 'green'; document.body.appendChild(el); In Firefox I get a Content Security Policy error, and the styles are not applied. There is no error in Chrome. There is no error for DIV element in Firefox.

How can I get KendoUI MVC to work with Content Security Policy

十年热恋 提交于 2019-12-08 06:36:00
问题 How do I avoid Telerik KendoUI creating inline scripts when using ASP.NET MVC Kendo compontents? The reason for avoiding inline scripts is to adhere by CSP header Content-Security-Policy: script-src 'self' 'unsafe-eval' https://kendo.cdn.telerik.com And not to get errors like Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' https://kendo.cdn.telerik.com". Is there a way to remove the kendo generated inline

Content Security Policy directive: Refused to load the font

邮差的信 提交于 2019-12-08 04:53:09
问题 I created a angular project using angular-cli but when I start this project using npm start it is showing Refused to load the font 'data:font/woff;base64,d09GRgABAAAAAGVUABEAAAAAxuQAAQABAAAAAAAAAAAAAAAAAAAAAAAAAABHREVGAAABgAAAAC4AAAA0ArgC7UdQT1MAAAGwAAAQ6AAALgxKsqRTR1NVQgAAEpgAAAH3AAAELqI5y+RPUy8yAAAUkAAAAE8AAABgaGyBu2NtYXAAABTgAAABlAAAAkQkRATXY3Z0IAAAFnQAAABeAAAAugDsQf1mcGdtAAAW1AAABZcAAAvNb3

How to let script to use setAttribute 'style' without breaking CSP

懵懂的女人 提交于 2019-12-07 20:16:57
问题 Im am trying to keep my CSP policy as strict as possible. I need to include 3d party component in my bundle. But it uses element.setAttribute('style'...) method which breaks CSP. Is there a way to allow this particular script to inline styles in that manner? 回答1: 2018-10-06 update The original answer here is still correct for now — because with CSP as currently implemented in browsers at least, there’s still no way to have dynamically injected styles at all without specifying unsafe-inline ,

violates the following Content Security Policy directive

|▌冷眼眸甩不掉的悲伤 提交于 2019-12-07 18:05:01
问题 When I Upload a Image into my web APP, it showing below error Refused to load the image ' <URL> because it violates the following Content Security Policy directive: "default-src * data: 'unsafe-eval' 'unsafe-inline'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback. I try to solve this error by using following code <meta http-equiv="Content-Security-Policy" content="default-src *; img-src * 'self' data: https:; script-src 'self' 'unsafe-inline' 'unsafe-eval'

is Content Security Policy 'unsafe-inline' deprecated?

邮差的信 提交于 2019-12-07 16:32:54
问题 I'm developing a Chrome Extension, I tried to add the 'unsafe-inline' CSP as per the Google Docs However after doing so and attempting to reload my extension at chrome://extensions/ I'm getting: There were warnings when trying to install this extension: Ignored insecure CSP value "'unsafe-inline'" in directive 'script-src'. For ref the entire CSF as defined in manifest.json : "content_security_policy": "script-src 'self' 'unsafe-inline' https://localhost:8000; object-src 'self'" So, why am I
订阅 content-security-policy