Content Security Policy: Refused to load image - .htaccess

I'm getting the following Content Security Policy error:
Refused to load the image https://www.xy.de/images/icons/shirt.png because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
I want to fix this error with the use of my .htaccess file. I tried to set the header like that:
<IfModule mod_headers.c>
Header always set Content-Security-Policy "script-src 'none' img-src 'self' data:"
</IfModule>
This shows no effect, I still get the same CSP-error. What would be the correct way to set up the header?

Based on your input and the error message you are likely trying to add a CSP to a page that already has one. Adding another policy won't make the existing one less strict. The existing policy can be found in a response header or a meta tag. You need to identify the policy and where it is set and modify that one. Alternatively you can remove it and use the one you have shown above.

Related

Directus: Content Security Policy error - frame-src blocked when embedding a YouTube video

I'm using Directus with editorjs extension and trying to embed a YouTube video, but I'm encountering a Content Security Policy error that is blocking the frame-src. The error message I'm getting is:
"Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”)."
I've tried adding the following setting in my .env file:
CONTENT_SECURITY_POLICY_DIRECTIVES__FRAME_SRC="array:'self', 'https://www.youtube.com'"
But I'm still encountering the same error.
There is likely a Content Security Policy present on your page, and adding another one can only make it stricter, not loosen any of the directives. First you'll likely need to locate the existing CSP, likely in a response header, find how it is set and modify it.
To fix the inline script violation you will need to add the hash of the inline script (some browsers will tell you the hash), add a nonce to the script, refactor it into a file or resort to adding 'unsafe-inline'. You should add your chosen source to script-src.
You should also add www.youtube.com to frame-src and/or child-src (frame-src will use a fallback to child-src in CSP level 3 and to default-src in CSP level 2.

How can i resolve this content security policy error?

when i run my node index file my getting this error in the browser
Refused to load the image 'http://localhost:3000/favicon.ico' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
can any help me how can i resolve this error ?
The most basic approach to solve this issue is not to send a Content-Security-Policy response header if the client requests /favicon.ico.
However, depending on your specific use case there might be better solutions, e.g. setting img-src 'self' for the file or all static images below the root path.
In all cases you should return a HTTP 404 Not Found status code if you don't have a /favicon.ico.

IIS custom header "Content-Security-Policy" is overwritten

I have currently an issue with a SharePoint web application, where all websites return a response header content-security-policy: default-src 'self'; object-src 'none'; form-action 'self', which breaks the website's view using Chrome or Firefox, as styles won't be applied and Javascript won't be executed.
Console-Log
Refused to execute inline script because it violates the following Content Security Policy directive: default-src 'self'.
Either the 'unsafe-inline' keyword, a hash ('sha256-WFRyoBrQbrYtLpGIdyBszDzxQni3b0V/wUirab0OhKM='), or a nonce ('nonce-...') is required to enable inline execution.
Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
The problems only occurs if the websites are addressed using HTTPS. I already checked the HTTP Response Headers in IIS. content-security-policy is not specified. If I add it myself, it gets overwritten and is not sent in the response header. There are only two solutions installed, which do not mess with the response headers.
Has anyone an idea what else could change the custom response header and overwrite the one defined in the web.config? Or is there an other way to change the Content-Security-Policy?
I tested changing the IIS Response Headers by configuring the "CustomHeaders"-section in the web.config, by writing custom IIS modules, which modified the headers using the request lifecycle, and also by writing additional rules with the URL Rewriting tool. Nothing worked...
In the end we found out someone extended the firewall, which onwards would add new header and overwrite my changes of the HTTPS response. Mystery solved :)
In my case, I was asked by Network and Information Security Team to add the Content-Security-Policy: default-src 'self'; header in my IIS 8.5 SharePoint Server 2016 Publishing website which affects all the system pages and the browser refuses to execute the scripts and in console we got this error
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-HU8dCwZsqh4m8QG0y6qanyzPx1d6YSGHuAN0QXmxZvw='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
I then change the header to Content-Security-Policy:frame-ancestors 'self'; and it resolves the issue.
I actually got this from the JohnC's Answer that helps me resolving the issue

CSP form-action directive override not working in Chrome

I need to relax the CSP (Content Security Policy) in Chrome to enable a redirect with some get parameters to the Azure login page. When processing such redirects Chrome applies policy restrictions related to form submissions. The default policy in such cases amounts to
<meta http-equiv="Content-Security-Policy" content="form-action 'self' javascript:"/>
In this case the redirect to https://login.microsoftonline.com/...
wont' work. The MDN says that you can expand the list of allowed destinations, which I tried like so:
<meta http-equiv="Content-Security-Policy" content="form-action 'self' https://*.microsoftonline.com javascript:"/>
It appears to have no effect at all as still get the same error on the console:
Refused to send form data to 'https://login.microsoftonline.com' because it violates the following Content Security Policy directive: "form-action 'self' javascript:"
Note also that playing with the order of the attributes or removing the javascript: part does help. However, removing the self part is evidently paid some attention to by Chrome as in this case I'm not able to send data back to the origin. It is almost like they let you tighten up the policy but not relax it.
Any help will be greatly appreciated.
I think that it is caused because form-action (according to the documentation):
The HTTP Content-Security-Policy (CSP) form-action directive restricts the URLs which can be used as the target of a form submissions from a given context.
Maybe you could try the default-src directive:
default-src
The HTTP Content-Security-Policy (CSP) default-src directive serves as a fallback for the other CSP fetch directives.
Hope it helps!
Do not include the protocol (https) and i think it will work

HTML Header Content Security Policy not reporting to file

After reading an introduction to CSP and the CSP website I wanted to get a feedback log of CSP breaches on my website.
So, I set up a header in my .htaccess as defined in the links above:
Header set Content-Security-Policy "default-src 'self' https://www.google-analytics.com https://www.jscache.com;"
This works, but for various reasons there are other entities that are still being blocked, so I want to setup a CSP report. Again, something that is clearly explained in the documents linked above.
And back to my .htaccess I replace the line with:
Header set Content-Security-Policy-Report-Only "default-src 'self'; report-uri /csp_report_parser.txt;"
Which I want to report all the non-self requests into a file, /csp_report_parser.txt . This file I have created on the same place as the .htaccess but the file fails to be populated, despite feedback from firebug stating:
Content Security Policy: The page's settings observed the loading of a resource at https://www.google-analytics.com/analytics.js ("default-src http://mywebsite"). A CSP report is being sent.
and many of these each time stating "A CSP report is being sent". The file this report should be sent to exists and I have given permissions 777 yet the file remains blank.
What have I missed to make this reporting feedback into the file stated?
I have also tried specifying an absolute URL to report to such as :
Header set Content-Security-Policy-Report-Only "default-src 'self'; report-uri http://mywebsite/csp_report_parser.txt;"
But again, this file on my domain remains blank despite browser firebug statements as above.
While I was expecting a data dump in a JSON format what I actually neeeded was to process the passed data to be dumped first, using a PHP json_decode function before saving the data to the file.
$data = json_decode(file_get_contents('php://input'), true);
file_put_contents('csp_report_parser.txt',print_r($data,true),FILE_APPEND);

Resources