content-security-policy

问题 Situation: autoreload of phonegap serve blocked by content-security-policy meta tag Adding content security policy prevents auto-reload of phonegap serve utility. This is built on top of cordova serve but auto-reloads the app on file editing. It works by injecting socket.io in index.html . What should I specify in my CSP meta tag that will allow socket connections to my laptop. Here is my current CSP meta tag: <meta http-equiv="Content-Security-Policy" content="default-src 'self' 192.168.0

问题 I have Java-based based web application running on Tomcat 6. My application is running on localhost and port 9001. To make my application more secure and to reduce the risk of XSS attacks, I added the header Content-Security-Policy with value default-src * 'unsafe-inline' 'unsafe-eval';script-src 'self' . With this I want to allow the web application to load the JavaScript files from same domain. For other resources it continues to load in the same fashion as it was without this header. But I

问题 In CSP v2 frame-src was deprecated. child-src is recommended to use instead. In CSP v3 frame-src in undeprecated and child-src is deprecated. Currently (sep 2017) Chrome: The 'child-src' directive is deprecated and will be removed in M60, around August 2017. Please use the 'script-src' directive for Workers instead. So what's correct collection of directives to work in modern (minus 2 versions) browsers? Looks like frame-src + script-src is enough? But what should be in script-src then? PS:

问题 In CSP v2 frame-src was deprecated. child-src is recommended to use instead. In CSP v3 frame-src in undeprecated and child-src is deprecated. Currently (sep 2017) Chrome: The 'child-src' directive is deprecated and will be removed in M60, around August 2017. Please use the 'script-src' directive for Workers instead. So what's correct collection of directives to work in modern (minus 2 versions) browsers? Looks like frame-src + script-src is enough? But what should be in script-src then? PS:

问题 I am hosting a personal project on gitHub pages, and using cloudflare to enforce https. Now I would like to implement a CSP policy. I tried adding meta tag to the head of my page: <meta HTTP-EQUIV='Content-Security-Policy' CONTENT="default-src 'self' *.fonts.googleapis.com/* *.cloudflare.com/* *.fonts.googleapis.com/*;"> But I am getting the following error: Refused to load the stylesheet 'https://fonts.googleapis.com/icon?family=Material+Icons' because it violates the following Content

问题 I am hosting a personal project on gitHub pages, and using cloudflare to enforce https. Now I would like to implement a CSP policy. I tried adding meta tag to the head of my page: <meta HTTP-EQUIV='Content-Security-Policy' CONTENT="default-src 'self' *.fonts.googleapis.com/* *.cloudflare.com/* *.fonts.googleapis.com/*;"> But I am getting the following error: Refused to load the stylesheet 'https://fonts.googleapis.com/icon?family=Material+Icons' because it violates the following Content

问题 I am hosting a personal project on gitHub pages, and using cloudflare to enforce https. Now I would like to implement a CSP policy. I tried adding meta tag to the head of my page: <meta HTTP-EQUIV='Content-Security-Policy' CONTENT="default-src 'self' *.fonts.googleapis.com/* *.cloudflare.com/* *.fonts.googleapis.com/*;"> But I am getting the following error: Refused to load the stylesheet 'https://fonts.googleapis.com/icon?family=Material+Icons' because it violates the following Content

问题 I am hosting a personal project on gitHub pages, and using cloudflare to enforce https. Now I would like to implement a CSP policy. I tried adding meta tag to the head of my page: <meta HTTP-EQUIV='Content-Security-Policy' CONTENT="default-src 'self' *.fonts.googleapis.com/* *.cloudflare.com/* *.fonts.googleapis.com/*;"> But I am getting the following error: Refused to load the stylesheet 'https://fonts.googleapis.com/icon?family=Material+Icons' because it violates the following Content

问题 I'm currently adding the Content Security Policy (CSP) header to our application. I'm wondering onto which files the header must be attached to. After some research, I did not find a clear answer to it. Twitter, e.g. only added it to the actual HTML document. Facebook, however, added it to almost every resource and the HTML document (HTML, JS, CSS, etc.). So, is it necessary to add the Content Security Policy header to each served resource file or only to the HTML document? How does it work

问题 Suppose my website is over HTTPS and I need to load a CSS or Object resource from HTTP , how can I do this? Please note that I'm able to add Content-Security-Policy to the response headers over the HTTPS websites but I don't exactly know how can I do this. Can someone give me a solution? 回答1: There is no solution. Modern browsers will deny using non-https resources into pages served by https because you effectively undermine the security model of https this way. CSP will not help because it