I'm new to Content-Security-Policy headers, and I've been trying to define our policy to get our app working correctly.
I'm a Google Chrome user, and under Google Chrome, everything seems to be fine. But, under Firefox or Edge, I see something like this:
CSP14309: Unknown directive 'script-src-elem' in
Content-Security-Policy - directive will be ignored.
Why would script-src-elem be unknown in Edge and Firefox, but work correctly in Google Chrome?
What, exactly, is script-src-elem?
Help?
This is a new CSP 3 policy that has so far only been implemented in Chrome, and a handful of smaller browsers (e.g. Opera).
See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-elem#Specifications
Related
All the css hashes were added to the CSP (in index.html), also using 'unsafe-hashes' but they are still reported in browser console.
Chrome console vs. index.html file
How can I fix this, that the browser will not refuse to apply these styles?
I'm trying to load my content into an IFrame, so I implemented the Content-Security-Policy header: Content-Security-Policy: frame-ancestors http://*.example.com/abc.html.
I am able to load the content on iframe when I give the header as
Content-Security-Policy: frame-ancestors http://*.example.com/.
But when I change the header to:
Content-Security-Policy: frame-ancestors self http://*.example.com/abc.html.
then the content on iframe is getting loaded for the first time but gives below error when I refresh the web page
Refused to display 'https://....' in a frame because an ancestor violates the following Content Security Policy directive: frame-ancestors self http://*.example.com/abc.html.
Can anyone tell why its giving error on refreshing the page.
Also does frame-ancestors considerers the full url (http://.example.com/abc.html) or only the hostname like http://.example.com?
Chrome browser has a bug - it's not support paths in the frame-ancestors directive. Safari nas the same bug, and only lasets Firefox supports paths in this directive.
So for frame-ancestors instead of http://.example.com/abc.html you have to use http://.example.com host-source.
For other directives you can use paths and filenames.
Without a working example it is hard to know exactly what the problem is. But based on the specification, https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors, some adjustments to your CSP can be advised:
Remove the path, it is not according to the specification to use more than the scheme, host and port.
Use the expected scheme (http/https) or remove the scheme.
Use wildcard https://*.example.com, not just https://.example.com
Use 'self', not self
I am porting my chrome extension to Safari. The extension requires the user to sign-in and I use the OAuth code flow, which requires a redirect url.
In Chrome, I can use chrome.runtime.getURL('/mypage.html') as a redirect url because in chrome the extension id is never changed.
In Safari, however, the extension id keeps changing in every (xcode) build. This is similar to the behaviour of Firefox but in Firefox, I can use browser.identity.getRedirectURL(). Although not reachable, it guarantees to stay the same.
As in Safari, there is NO browser.identity and safari-web-extension://<extension-id> is blocked by Safari, what url can I use as a redirect URL?
Please see my reply at the apple forum: https://developer.apple.com/forums/thread/670165?answerId=661186022#661186022
Excerpted from my reply on the Apple Forum:
As a workaround, you may use whatever reachable URL as an OAuth
redirect URL and use webRequest.onBeforeRedirect to capture the
redirect attempt and 'force redirect' e.g. by tabs.update.
Although this will work, it is far from being elegant. It could even
be error-prone. While Firefox offers a decent solution for this, why
safari can't / doesn't. This could be a Safari bug or needs a change
request on Safari.
I haven't heard anything from Apple (as usual).
I have a strange problem with one server (Hosting company is etisalat in UAE). The website is not loading external scripts (also google fonts) or background images and some javascript.
The error I get in console is like:
"Content Security Policy: The page’s settings blocked the loading of a resource at https://fonts.googleapis.com/css?family=Noto+Sans:400,700,400italic (“default-src http://riviera.ae http://googleapis.com”)"
I've tried adding the following to section:
<meta http-equiv="Content-Security-Policy" content="default-src * 'unsafe-inline' 'unsafe-eval'">
But still it does not load it. The images and other works well in internet explorer (But XHR gives error. I haven't tested it completely).
Also tried the following in .htaccess
Header set Content-Security-Policy "default-src 'self' googleapis.com; script-src 'self' www.googleapis.com;"
Hope it's not against stackoverflow policies to share the link of the domain (riviera.ae). Thanks for checking it out.
NB: I tried putting the same application in another server (*nix based systems with apache 2+) and it works fine.
Even a phpinfo() gives the output in plain text (No PHP logo is shown nor the table styles are rendered).
I got it working by putting "Header unset Content-Security-Policy" in the .htaccess file. Have to add other derivatives to make it secure though.
Content Security Policy specification says
The frame-ancestors directive obsoletes the X-Frame-Options header. If a resource has both policies, the frame-ancestors policy SHOULD be enforced and the X-Frame-Options policy SHOULD be ignored.
So from my understanding if both Content-Security-Policy and X-Frame-Options headers are present, then X-Frame-Options should be ignored.
I have a web app with both headers, and looks like Firefox 38 is ignores Content-Security-Policy header and uses X-Frame-Options header instead.
My sample headers are:
Content-Security-Policy:frame-ancestors 'self' local.com *.local.com
X-Frame-Options:Allow-From http://local.com
I want that my frame should be accessed from local.com and all subdomains. Local.com is just example. If X-Frame-Options header is present, then it allows just http://local.com, but if i remove it, then Firefox uses Content-Security-Policy header and works fine for domain and subdomains.
Does it mean that Firefox isn't implementing this part? Or it's just too new specification and Firefox doesn't implement it yet? Is there any other way to force Content-Security-Policy header usage?
I know that Chrome works fine with Content-Security-Policy and IE can work just with X-Frame-Options, but looks like i can't combine both headers, as Firefox works not in right way.
One possible way is to sent X-Frame-Options just for IE, and Content-Security-Policy for all other, but is there a better way?
Thanks!
frame-ancestors only appeared in CSP Level 2 (see the changelog) so it's very likely that Firefox 38 just hasn't implemented it yet.
You can verify that quite easily by watching the JavaScript console - the browser will display warnings about each of the CSP directives it doesn't understand.
You can also download Firefox from the beta channel and see if it makes difference, but obviously it won't help much if you just want to build a interoperable solution for production website...