content-security-policy

I have a web app using the default html5boilerplate Content Security Policy. However, we have the new Google analytics.js snippet on the page, which is being blocked by the CSP. I've been trying to find an example of a CSP and JS include structure that will allow Google analytics.js, but haven't had any luck. The closest SO post is Google Analytics and Content-Security-Policy header , but this is using the older ga.js. Unfortunately the Google Docs don't mention CSP. I've reached the following solution though: Bottom of my html file: <script type="text/javascript" src="/js/analytics.js"><

I have an app, in wich the user would be able to copy an image URL, paste it unto an input and the image will be loaded on a box. But my app, keep triggering this message: Refused to load the image 'LOREM_IPSUM_URL' because it violates the following Content Security Policy directive: "img-src 'self' data:". That's my meta tag: <meta http-equiv="Content-Security-Policy" content="default-src *; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' *; style-src 'self' 'unsafe-inline' *"> I'm using html2Canvas within the app, and when I remove this: "img-src 'seld' data:" It fire

I'm trying to relax Chrome's CSP while running a test using proctractor (webdriver, chromedriver). So the solution can be either a flag like "--disable-csp" which dose not exist according to my search results. a setting for webdriver/protractor to do so. I could not find any solution but to setup a proxy that filters the header. any ideas? currently there are no native option but you can disable CSP using extension. Step: Download extension Disable Content-Security-Policy Save it as .zip , because it need modification to enable "disable CSP" at start extract the file or if using Winrar double

I'm trying to override the Content Security Policy using a specific meta tag for some pages. I've been trying for a couple of hours, but I've not succeed yet. Is there a way to override CSP from the page itself (using JavaScript or meta tags) without having to modify the server configuration? Thank you. No. For security reasons the meta tag can only make the policy more strict, not to relax the policy defined in the headers. If the meta tag could relax the policy, CSP would have no teeth. Any malicious party could just add a meta tag to disable the policy and avoid all of the restrictions that

Background I have to use a Content Security Policy for a react application. The reason, that is however not of a big matter here, is, that I am creating a WebExtension/Browser Extension/add-on and these do have such a content security policy , and there things like 'unsafe-eval' and 'unsafe-inline' are strictly disallowed : extensions with 'unsafe-eval', 'unsafe-inline', remote script, blob, or remote sources in their CSP are not allowed for extensions listed on addons.mozilla.org due to major security issues. I have created the app with create-react-app loosly following this guide . The

Trying to open a WebSocket connection from a Browser to a server running on localhost:9000 here is my JS code: $( document ).ready(function() { var url = "ws://localhost:9000/myapp"; var connection = new WebSocket(url); connection.onopen = function() { console.log('WebSocket Open'); }; connection.onerror = function(error) { console.log('WebSocket Error ', error); }; connection.onmessage = function(event) { console.log('WebSocket Msg ', event); } }); But the browser is refusing to accept the connection due to Content-security policy: Content Security Policy: The page's settings blocked the

i'am wondering about the quote from the specification: ( https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html ) To reap the greatest benefit, authors will need to move all inline script and style out-of-line, for example into external scripts, because the user agent cannot determine whether an inline script was injected by an attacker. Sourcing out all inline-script is a time heavy task. My question is from the security point of view. Do you really get any security benefit by extracting all inline-script (e.g. JavaScript) to external sources? Thank you The key

I have my single page app running on webpack-dev-server. I can load and reload my entry route over at localhost:8080 and it works every time. However i can load localhost:8080/accounts/login only via a link from within the app i.e whenever i reload localhost:8080/accounts/login from the browser refresh button i get Cannot GET /accounts/login/ as the server response, and on the console i get Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src http://localhost:8080 ”). Source: ;(function installGlobalHook(window) { .... This is my CSP header on