content-security-policy

Google analytics.js and Content Security Policy

阅读更多关于 Google analytics.js and Content Security Policy

问题 I have a web app using the default html5boilerplate Content Security Policy. However, we have the new Google analytics.js snippet on the page, which is being blocked by the CSP. I've been trying to find an example of a CSP and JS include structure that will allow Google analytics.js, but haven't had any luck. The closest SO post is Google Analytics and Content-Security-Policy header, but this is using the older ga.js. Unfortunately the Google Docs don't mention CSP. I've reached the following

How to use jinja2 server side rendering alongside react without violating inline-script CSP

阅读更多关于 How to use jinja2 server side rendering alongside react without violating inline-script CSP

I am new to React and experimenting a bit. I would like to use it on my Flask site that uses Jinja2 templates. People seem to recommend to render data on the server-side first instead of having to always make an initial call for data on page load. I found this nodejs example but it just puts the data on the page in a global variable in an inline script tag. I was wondering if there was a clean way to do this other than just putting the data on the page inside an inline script tag. Because of my secure CSP policy I can't use inline scripts or eval. Is there an standard pattern people use to

Refused to connect to [url] because it violates the following Content Security Policy directive

阅读更多关于 Refused to connect to [url] because it violates the following Content Security Policy directive

问题 I am the author of a Chrome extension that allows to translate status updates and comments right on Facebook: https://chrome.google.com/webstore/detail/facebook-translate/plofenifjagmdikfcobngnfmmnfmphin For some days now, my users and me are getting an error in the error console that sais: Refused to connect to 'https://api.microsofttranslator.com/V2/Http.svc/Translate?appId=&text=Chrome-Integration%3A+Google+bringt+Google+Now+auf+Desktop-PCs&to=en&contentType=text%2Fhtml' because it

Whitelist multiple domains in content security policy

阅读更多关于 Whitelist multiple domains in content security policy

问题 I am writting a chrome extension that needs to have two domains in its whitelist for the content security policy. I've looked at the official docs, but I still can't seem to figure out the proper syntax. The following does not seem to work: "content_security_policy": "script-src 'self' https://foo.com https://example.com; object-src 'self'" EDIT: Both my content script and my popup are able to reach foo.com, however, neither can reach example.com. Are chrome extensions capable of having

What does CSP protect us if allowing unsafe-inline

阅读更多关于 What does CSP protect us if allowing unsafe-inline

问题 Currently I'm defining Content Security Policy (CSP) as below; Header set Content-Security-Policy: "default-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;" Considering the CSP definition above, I have a challenge with inline JavaScript as it can be over-ridden at any time. What is the use of unsafe-inline if it virtually does not protect? 回答1: The unsafe-inline option is to be used when moving or rewriting inline code in your

Content Security Policy: “img-src 'self' data:”

阅读更多关于 Content Security Policy: “img-src 'self' data:”

问题 I have an app, in wich the user would be able to copy an image URL, paste it unto an input and the image will be loaded on a box. But my app, keep triggering this message: Refused to load the image 'LOREM_IPSUM_URL' because it violates the following Content Security Policy directive: "img-src 'self' data:". That's my meta tag: <meta http-equiv="Content-Security-Policy" content="default-src *; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' *; style-src 'self' 'unsafe

“[Report Only] Refused to load the font…” error message on console

阅读更多关于 “[Report Only] Refused to load the font…” error message on console

More specifically: [Report Only] Refused to load the font 'data:application/x-font-woff;charset=utf-8;base64,d09GRgABAAAAABBQAAoAAAAAG…H8zVsjnmMx0GcZ2HGViNOySWEa9fvEQtW43Nm+EOO0ZIpdLbMXoVzPJkcfHT6U+gLEpz/MAAAA' because it violates the following Content Security Policy directive: "font-src 'self'". this is my contentSecurityPolicy object at environment.js : contentSecurityPolicy: { 'default-src': "'none'", 'script-src': "'self' 'unsafe-inline' 'unsafe-eval' connect.facebook.net", 'connect-src': "'self'", 'img-src': "'self' www.facebook.com", 'style-src': "'self' 'unsafe-inline'", 'frame-src':

Google Fonts violates Content Security Policy

阅读更多关于 Google Fonts violates Content Security Policy

问题 I'm trying to use Google Fonts and I've never had any problems, but now when I try to add the CSS file on my header I get this error on the console: Refused to load the stylesheet 'http://fonts.googleapis.com/css?family=Whatever' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'" . 回答1: There are two things to fix here: Use https for the Google fonts link ( https://fonts.googleapis.com/css?family=Whatever ) Authorize https://fonts

Whitelist multiple domains in content security policy

阅读更多关于 Whitelist multiple domains in content security policy

I am writting a chrome extension that needs to have two domains in its whitelist for the content security policy. I've looked at the official docs, but I still can't seem to figure out the proper syntax. The following does not seem to work: "content_security_policy": "script-src 'self' https://foo.com https://example.com; object-src 'self'" EDIT: Both my content script and my popup are able to reach foo.com, however, neither can reach example.com. Are chrome extensions capable of having multiple sources whitelisted in the CSP? From what I know about CSPs, this looks syntactically correct. The

CSP: How to allow unsafe-eval for a given URI prefix (Firefox)

阅读更多关于 CSP: How to allow unsafe-eval for a given URI prefix (Firefox)

I'm trying to use MathJax as part of our web application which uses pretty strict Content Security Policy (CSP) . The problem is that MathJax is coded to use eval() [to be exact, in form of Function() ] which is not considered safe by default by CSP. I'm using following CSP header currently: X-Content-Security-Policy: allow 'self'; img-src *; media-src *; frame-src *; font-src *; frame-ancestors 'none'; style-src *; report-uri '/:save-csp-violation'; Which causes MathJax 2.0 code to fail because it uses Function() . I tried to allow unsafe-eval (i.e. Function() ) only for MathJax located