I have an error please let me know how to solve it
[ Unrecognized Content-Security-Policy directive ''self''. ]
[ The Content Security Policy directive 'default-src' contains 'style-src' as a source expression. Did you mean 'default-src ...; style-src...' (note the semicolon)? ]
The code used is
Header set Content-Security-Policy "default-src style-src 'unsafe-inline'; 'self';"
Related
I was using manifest version 2 and everything was fine, But unfortunately, version 2 is no longer after 2023. So I've decided to migrate to the version3.
I was defining content_security_policy as below:
"content_security_policy": "script-src 'self' https://ssl.google-analytics.com;
object-src 'self'"
and now I'm trying to set it as below
"content_security_policy":{
"extension_pages" : "script-src 'self' https://ssl.google-analytics.com;
object-src 'self'"
}
But I got this error:
Refused to load the script 'https://ssl.google-analytics.com/ga.js' because it
violates the following Content Security Policy directive: "script-src 'self'". Note
that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
How can I solve this?
The content security policy value in my chrome extension manifest version 2 is:
"content_security_policy": "script-src 'self' https://ssl.google-analytics.com; object-src 'self'"
Now, i need to migrate to manifest version 3. To do so, I wrote the content security policy value in the following way:
"content_security_policy": { "extension_pages": "script-src 'self' https://ssl.google-analytics.com; object-src 'self'", "sandbox": "..." }
But when I try to run the extension, the manifest is not loaded and I get the following error
'content_security_policy.extension_pages': Insecure CSP value "https://ssl.google-analytics.com" in directive 'script-src'.
Can someone please guide me how can I fix the issue ?
Thanks for any help in advance.
I'm setting up a content security policy in report-only mode. When I test it, Google Chrome gives this error:
The Content Security Policy 'default-src 'self'; script-src 'self' 'unsafe-inline' https: //use.typekit.com https://js.hs-analytics.net https://google-analytics.com https://ajax.googleapis.com; font-src https: //use.typekit.com; style-src 'self' 'unsafe-inline' https: //use.typekit.com; frame-src https: //www.youtube.com;' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
Here is my full Content Security Policy, I define the HTTP header in a header PHP file for the website:
header("Content-Security-Policy-Report-Only: default-src 'self';
script-src 'self' 'unsafe-inline' https://use.typekit.com https://js.hs-analytics.net https://google-analytics.com https://ajax.googleapis.com;
font-src https://use.typekit.com;
style-src 'self' 'unsafe-inline' https://use.typekit.com;
frame-src https://www.youtube.com;
report-uri /csp-violations-report-endpoint;
");
I have a folder in the web root directory: csp-violations-report-endpoint, with a single index.php file inside of it to handle the violation.
I'm not sure what I'm doing wrong. I've read MDN's suggestions for report-uri and used Google's example to write my report-uri directive.
Should I try pointing the report-uri to a script in the root directory? Should I try letting it log on its own, or do I need a parser to handle it? Could there be something wrong with my script? (I can include that if it would be of help)
Edit: It may be possible that my web browser is ignoring the report-uri directive (since it's deprecated) and is expecting the report-to directive, and that is why it's not working but the error message leads me to believe that isn't the case.
I might be completely off base, but, if you're using the code exactly as pictured above, then you are likely sending a bunch of invalid headers. HTTP Headers have to exist on a single line, and yours does not. Try this:
header(
"Content-Security-Policy-Report-Only: default-src 'self'; " .
"script-src 'self' 'unsafe-inline' https://use.typekit.com https://js.hs-analytics.net https://google-analytics.com https://ajax.googleapis.com; " .
"font-src https://use.typekit.com; " .
"style-src 'self' 'unsafe-inline' https://use.typekit.com; " .
"frame-src https://www.youtube.com; " .
"report-uri /csp-violations-report-endpoint; "
);
i try to load some web fonts from webtype but on Firefox/Mac i always geht an Access-Control-Allow-Origin-Error.
htaccess:
Header set Access-Control-Allow-Origin "*"
base href is also set:
<base href="http://XXX.XXX.ch">
Error: CORS-Header 'Access-Control-Allow-Origin' missing
Any idea to solve the problem?
thanks
thomas
After many hours of research and tinkering, I've finally managed to get backbone.js routes working, with one exception:
If I enter "/workingdir/routepath" - everything is great and it uses the 'routpath' route, however if I enter "/workingdir/routepath/" or "/workingdir/routepath/asdf" or anything similar, my website breaks and I get errors that look somewhat like this:
Resource interpreted as Stylesheet but transferred with MIME type text/html: "http://example.com/staging/personal/css/style.css". fj:5
Resource interpreted as Script but transferred with MIME type text/html: "http://example.com/staging/personal/scripts/jquery-1.7.2.min.js". fj:6
Uncaught SyntaxError: Unexpected token < jquery-1.7.2.min.js:1
Resource interpreted as Script but transferred with MIME type text/html: "http://example.com/staging/personal/scripts/nav.js". fj:6
Resource interpreted as Script but transferred with MIME type text/html: "http://example.com/staging/personal/scripts/underscore-min.js". fj:6
Uncaught SyntaxError: Unexpected token < underscore-min.js:1
Resource interpreted as Script but transferred with MIME type text/html: "http://example.com/staging/personal/scripts/backbone-min.js". fj:6
Uncaught SyntaxError: Unexpected token < backbone-min.js:1
Uncaught SyntaxError: Unexpected token <
And the page has no styling whatsoever. I think the issue is coming from the slash in the URL, making the paths for css and js files point to the wrong location (they should be in "staging/css/" and "staging/scripts/", but as the log indicates, it's looking for "staging/personal/xxx").
Any ideas on how to fix this? Thank you for your time!
Relative path references will be resolved differently depending on whether the request URI has a trailing slash or not. I imagine that's what's causing your problem. Consider these links:
<!-- Relative path references -->
<link href="staging/css/style1.css">
<link href="./staging/css/style2.css">
<!-- Absolute path reference -->
<link href="/workingdir/staging/css/style3.css">
This is how those paths will be resolved depending on the request URI:
REQUEST_URI = /workingdir/routepath
/workingdir/staging/css/style1.css
/workingdir/staging/css/style2.css
/workingdir/staging/css/style3.css
REQUEST_URI = /workingdir/routepath/
/workingdir/routepath/staging/css/style1.css
/workingdir/routepath/staging/css/style2.css
/workingdir/staging/css/style3.css
So if you want the ability to make the request with a trailing slash or additional segments, you'll want to use an absolute path reference.
Just to share with others having this issue. I had the same problem, but now with a different solution. These additions to .htaccess didn't work out initially:
AddType application/x-javascript .js
AddType text/css .css
AddType text/javascript .js
AddType text/css .css
AddType font/ttf .ttf
AddType font/eot .eot
AddType font/otf .otf
AddType application/woff .woff
AddType font/woff .woff
AddType font/opentype .woff
AddType application/x-font-woff .woff
AddType application/vnd.ms-fontobject .eot
AddDefaultCharset UTF-8
Options -Indexes
Finally, I realized that while my path below worked on localhost, the CASE-sensitive server did not accept the path
\js\prettyPhoto\js\jquery.prettyPhoto.js
instead of
\js\prettyphoto\js\jquery.prettyPhoto.js
The CAPITAL p was making all those errors! It might be too, for your case, since you have "Uncaught SyntaxError: Unexpected token < " and "Resource interpreted as Stylesheet but transferred with MIME type text/html:"
Let me know if it help : )