content-security-policy

The Content-Security-Policy HTTP header is meant to block inline script and resources from untrusted servers. However, the sample Google Analytics code snippet depends on both. What are the best practices in this area? This is the Content-Security-Policy header that I'm currently using: default-src 'self'; script-src 'self' https://ssl.google-analytics.com; img-src 'self' http://www.google-analytics.com/__utm.gif https://ssl.google-analytics.com/__utm.gif; So far, I've done the following: I added two script tags to my html: <script src="/js/google-analytics.js"></script> <script src="https:/

I am using an external JavaScript lib in my chrome extension. I has inline execution, so I get following kind of error (The error I get on console) Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self' chrome-extension://". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. The error message clearly says there is a work-around possible. Chrome-Content Security Policy says not possible. Many related question cited this link. Blog This blogger says it is

I'm trying to make radio stream chrome extension but there is a problem. When I run my script in browser like normal JS+HTML+CSS it works, but when I try runing it like Chrome extension I get this error: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' chrome-extension-resource:". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. After that I added this to my manifest: "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"

I'm implementing Content Security Policy headers using the following policy Content-Security-Policy: default-src 'self' so will need to avoid inline script because it will not execute. However, in the MVC application certain functionality such as editor templates use inline script. e.g. tinymce_jquery_full.cshtml contains $(function() { $('#@ViewData.TemplateInfo.GetFullHtmlFieldName(string.Empty)').tinymce({ ... What is a good way to include dynamic values in external .js files when using a CSP? My current thinking is one of two ways: C# Generated JavaScript Similar to the way JSONP works,

Does anyone know how to get CSP, even with the default-src wildcard, to work so a modern Analytics script sends website per-page data (not just home page data) to the site owner's account and so AdSense ads appear? I tried many variations of CSP for my website, including that proposed in <H5BP.com>'s .htaccess file, but all blocked Google Analytics from producing per-page data (except for the home page) and Google AdSense from accepting ads on any page. Google's machines did not see the Analytics script although Google's humans always saw it in my website source code. Even setting CSP default

What domains/protocols in the img-src directive of the Content-Security-Policy header are required to allow Google AdWords conversion tracking? From testing, when we call google_trackConversion , it looks like the browser creates an image with a src that follows a chain of 302 redirects between various domains... www.googleadservices.com -> googleads.g.doubleclick.net -> www.google.com -> www.google.co.uk The final .co.uk looks suspicious to me. As we're testing from the UK, we're concerned that tracking called from other countries will redirect to other domains. What is the complete list of

I am using captcha on page load but it is blocking because of some security reason I am facing problem: Content Security Policy: The page's settings blocked the loading of a resource at http://www.google.com/recaptcha/api.js?onload=myCallBack&render=explicit ("script-src http://test.com:8080 'unsafe-inline' 'unsafe-eval'"). I have used the following js and meta tag: <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'"> <script src="http://www.google.com/recaptcha/api.js?onload=myCallBack&render

I'm confused about Jenkins Content Security Policy. I know these sites: Configuring Content Security Policy Content Security Policy Reference I have a html page shown via Jenkins Clover Plugin. This html page uses inline style, e.g.: <div class='greenbar' style='width:58px'> The div-element visualizes a progressbar. Using the default Jenkins CSP configuration leads to the following result: Progressbar_FAIL The result i want to have looks like this: Progressbar_WORKS I tried to relax the CSP rules, adding different combinations of parameters (script-src, style-src) with different levels (self,