content-security-policy

When using a content-security-policy and I try to follow a process in Chrome 41 (beta) using window.URL.createObjectURL I get an error like the following: Refused to load plugin data from 'blob:http%3A//localhost%3A7000/f59612b8-c760-43a4-98cd-fe2a44648393' because it violates the following Content Security Policy directive: "object-src blob://*" With a content security policy that restricts object-src or otherwise default-src one can reproduce the issue (with jQuery for convenience) like this: blob = new Blob( ["%PDF-1.\ntrailer<</Root<</Pages<</Kids[<</MediaBox[0 0 3 3]>>]>>>>>>"], { type:

Why am I receiving errors like this? Refused to load the script 'http://maps.googleapis.com/maps/api/js?v=3&sensor=false' because it violates the following Content Security Policy directive: "script-src 'self' *.googleapis.com 'unsafe-inline' 'unsafe-eval'". my meta-tag: <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' *.googleapis.com 'unsafe-inline'; script-src 'self' *.googleapis.com 'unsafe-inline' 'unsafe-eval'"> Seems like I needed explicit URI-scheme. This work: <meta http-equiv="Content-Security-Policy" content="default-src *; script-src 'self'

I would like to use Content Security Policy for my JSF 2.1 based Web projects as I think it could improve protection against XSS attacks significantly. Due to CSP's default behaviour to block all inline JavaScript it basically breaks JSF's <f:ajax execute="input" render="output" /> functionality. This is because JSF generates lots of inline JavaScript code when using the above stated construct. Does anybody know if there is a way to use CSP in JSF based projects which make use of f:ajax without the need to allow inline JS by using the following CSP directive: Content-Security-Policy: default

We are building a ASP.NET website and want to allow only some domains who can iFrame our website. CSP is not supported in internet explorer. I am setting something like Response.AddHeader("Content-Security-Policy", "frame-ancestors mydomain1.com mydomain2.com") . How is everyone handling for internet explorer. I read IE supports X-Content-Security-Policy but it doesn't has frame-ancestors . Also I am removing the default X-Frame-Options header added by IIS by doing Response.Headers.Remove("X-Frame-Options") The solution recommended by Microsoft is the following: internally, whitelist domain1

I have a bookmarklet which uses jQuery and parses some elements on the page. To use jQuery, i am creating a script tag(with src as the jQuery URL) dynamically and appending to the head tag. This works well for many sites. But, there are few sites like Facebook, for which the bookmarklet is not able to inject the external JS file into the dom.I came to know that this behaviour is because of the response header "Content Security Policy" which prohibits the inclusion of scripts from any other unauthorized domain. This is to prohibit XSS atacks. I have a genuine case to insert an external JS file