content-security-policy

We're working on creating a strict Content Security Policy ( https://csp.withgoogle.com/docs/strict-csp.html ) which necessitates Apache creating a nonce each time a resource is requested, so that we can insert this nonce into the http header. How can we create a nonce with Apache 2.4? All of the CSP related documentation I've read says something to the effect of "A nonce is just a random string that's generated on the server, included in the CSP header..." but haven't found any info on how to do this with Apache. We could of course do this with app code, but doing it via Apache seems like a

I am making a google chrome extension where I want to use google maps. The problem is that when I run my script then it gives me this error Refused to load script from 'https://maps.googleapis.com/maps/api/js?key=XXXXXXXXXXXXXXXX&sensor=false' because of Content-Security-Policy. Here is my manifest file { "name": "Name", "version": "1.0", "manifest_version": 2, "background": { "scripts": [ "js/script.js" ] }, "description": "Desc", "browser_action": { "default_icon": "images/icon.png", "default_title": "Title", "default_popup": "html/popup.html" }, "permissions": [ "http://*/", "http://*

So, in about 1 hour my extensions failed hard. I was doing my extension and it was doing what I pretended. I made some changes, and as I didnt liked I deleted them, and now my extension is throwing error: Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'style-src' was not explicitly set, so 'default-src' is used as a fallback. What causes this error? I made my changes in: popup.html <!DOCTYPE html> <html ng-app="PinIt" ng-csp> <head> <link rel="stylesheet" href="css/popup.css"> <script src="js/lib/jquery-1.8.2

I'm trying to make reCAPTCHA work along with a strict Content Security Policy. This is the basic version I have, which works correctly: HTML <script src='//www.google.com/recaptcha/api.js' async defer></script> HTTP Headers Content-Security-Policy: default-src 'self'; script-src 'self' www.google.com www.gstatic.com; style-src 'self' https: 'unsafe-inline'; frame-src www.google.com; However, I would like to get rid of the unsafe-inline in the style-src section. On the documentation , it is written that: We recommend using the nonce-based approach documented with CSP3. Make sure to include your

Is it possible to configure the Content-Security-Policy to not block anything at all? I'm running a computer security class, and our web hacking project is running into issues on newer versions of Chrome because without any CSP headers, it's automatically blocking certain XSS attacks. It's not secure at all, but as staring point the real allow all policy is: default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline'; See: https://content-security-policy

This is relative an Chrome extension. I am trying a simple one which uses the Google Chart API I have this code in my html document "popup.html", which is loaded on the click on the Icon. <!doctype html> <html> <head> <script type="text/javascript" src="js/libs/jquery-1.8.0.min.js"></script> <script type="text/javascript" src="js/popup.js"></script> <script type="text/javascript" src="http://www.google.com/jsapi?key=xxxxxxxxxxx"></script> [...] </body> </html> I get the following message: Refused to load the script 'http://www.google.com/jsapi?key=xxxxxxxxxxx' because it violates the following

I upgraded my ember-cli app to 0.0.47 and am now getting a bunch of errors in my browser console related to the content security policy. How do I fix this issue? Refused to load the script 'http://use.typekit.net/abcdef.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' localhost:35729". login:1 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' localhost:35729". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required