content-security-policy

In my asp.net core application for each response i'm adding content security policy header. I understand that for IE, the header name is X-Content-Security-Policy and for other browsers like chrome its Content-Security-Policy The header value looks something like below where nonce is different for each response. default-src 'none'; script-src 'self' 'nonce-somerandomvalue-differnt-foreach-reasone' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; object-src 'self'; connect-src 'self'; report-uri /csp/report; The application is using inline javascript on

In CSP v2 frame-src was deprecated. child-src is recommended to use instead. In CSP v3 frame-src in undeprecated and child-src is deprecated. Currently (sep 2017) Chrome: The 'child-src' directive is deprecated and will be removed in M60, around August 2017. Please use the 'script-src' directive for Workers instead. So what's correct collection of directives to work in modern (minus 2 versions) browsers? Looks like frame-src + script-src is enough? But what should be in script-src then? PS: is it even legal to "undeprecate" stuff? 2018-12-20 update child-src has in the meantime been un

My CSP report URI has received the following CSP violation: { "csp-report":{ "document-uri":"https://example.com/blog/somepage", "referrer":"", "violated-directive":"img-src 'self' data: p.typekit.net pbs.twimg.com platform.twitter.com q.stripe.com syndication.twitter.com", "effective-directive":"img-src", "original-policy": veryLongPolicyGoesHere, "blocked-uri":"about", "status-code":0 } } Why would I get a CSP violation for the blocked-uri 'about'? Is this the inbuilt about: URL from web browsers? I can't replicate the problem when I try. Tomi Junnila I worked with the user to discover it is

I have a gulp task that runs browsersync. var options = { proxy : 'localhost:9000/html' , port : 3000 , files : [ config.root + config.srcPaths.htmlBundle , config.htmlRoot + 'main.css' , '!' + config.htmlRoot + '**/*.scss' ] , injectChanges : false , logFileChanges : true , logPrefix : 'broserSync ->' , notify : true , reloadDelay : 1000 }; browserSync( options ); browsersync detects changes and tries to inject them but chrome blocks it with this error: Refused to connect to 'ws://localhost:3000/browser-sync/socket.io/?EIO=3&transport=websocket&sid=gOQQPSAc3RBJD2onAAAA' because it violates

I am struggling for some days already with defining my Content-Security-Policy for my Cordova App. My first question is: Do I have to add CSP in Cordova? It seems like Cordova adds meta tag for CSP by default and add Whitelist plugin, requiring to define your CSP for every page. If I have to define: How to properly define directives for my need: I am adding some js files, css files, and have inline js code, as well as styles. I have added this CSP for my page. And it is complaining about style-src . <meta http-equiv="Content-Security-Policy" content="default-src *; script-src 'self' 'nonce