How can i resolve this content security policy error? - node.js

when i run my node index file my getting this error in the browser
Refused to load the image 'http://localhost:3000/favicon.ico' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
can any help me how can i resolve this error ?

The most basic approach to solve this issue is not to send a Content-Security-Policy response header if the client requests /favicon.ico.
However, depending on your specific use case there might be better solutions, e.g. setting img-src 'self' for the file or all static images below the root path.
In all cases you should return a HTTP 404 Not Found status code if you don't have a /favicon.ico.

Related

Content Security Policy: Refused to load image

I'm getting the following Content Security Policy error:
Refused to load the image https://www.xy.de/images/icons/shirt.png because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
I want to fix this error with the use of my .htaccess file. I tried to set the header like that:
<IfModule mod_headers.c>
Header always set Content-Security-Policy "script-src 'none' img-src 'self' data:"
</IfModule>
This shows no effect, I still get the same CSP-error. What would be the correct way to set up the header?
Based on your input and the error message you are likely trying to add a CSP to a page that already has one. Adding another policy won't make the existing one less strict. The existing policy can be found in a response header or a meta tag. You need to identify the policy and where it is set and modify that one. Alternatively you can remove it and use the one you have shown above.

Callback violates CSP policy even though it is referenced in 'script-src' policy

Im getting a CSP violation in chrome console:
Refused to load the script 'https://ipinfo.io/?callback=jQuery....' because it violates the following Content Security Policy directive
even though ipinfo.io is included the policy.
script-src 'self' *.ipinfo.io;
Any ideas why ?
could it be because its a callback and not a static script ? could this be solved ?
but you allowed only subdomains, not your main domain.
*.ipinfo.io allows everything which is foobar.ipinfo.io but not the main Domain it self, you need to add it as well

How to fix "Content Security Policy - contains an invalid source" error?

Im getting this error and I don´t know why, the scripts that I have included works?
And the error only shows up when I load a subpage. Not when I load the startpage.
So what Im I doing wrong?
The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored.
<meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline' 'unsafe-eval' https://checkout.dibspayment.eu https://www.google-analytics.com https://maps.google.com;">
Any input really appreciated, thanks.
And the error only shows up when I load a subpage. Im getting this error and I don´t know why
The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored.
It's not an error, just a warning that you browser does not support the 'strict-dynamic' token. (guess you use Safari).
I guess that subpage is a some Google's iframe (oAuth2, reCaptcha, etc). That iframe publush it's own CSP wich contains the 'strict-dynamic' token and this CSP was created in browsers backward compatibility mode (Google make such).
That's a warning from third-party CSP, not your's.
the scripts that I have included works?
Your parent page has own CSP which allows scripts. The CSP of nested browsing context (iframe) does not affects parent page (except the frame-ancestors directive).
So what Im I doing wrong?
Nothing. It's an intended regular work of Content Security Policy.
Each browsing context can have its own CSP. But all warns will flow to one browser console, and that is mislead.

IIS custom header "Content-Security-Policy" is overwritten

I have currently an issue with a SharePoint web application, where all websites return a response header content-security-policy: default-src 'self'; object-src 'none'; form-action 'self', which breaks the website's view using Chrome or Firefox, as styles won't be applied and Javascript won't be executed.
Console-Log
Refused to execute inline script because it violates the following Content Security Policy directive: default-src 'self'.
Either the 'unsafe-inline' keyword, a hash ('sha256-WFRyoBrQbrYtLpGIdyBszDzxQni3b0V/wUirab0OhKM='), or a nonce ('nonce-...') is required to enable inline execution.
Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
The problems only occurs if the websites are addressed using HTTPS. I already checked the HTTP Response Headers in IIS. content-security-policy is not specified. If I add it myself, it gets overwritten and is not sent in the response header. There are only two solutions installed, which do not mess with the response headers.
Has anyone an idea what else could change the custom response header and overwrite the one defined in the web.config? Or is there an other way to change the Content-Security-Policy?
I tested changing the IIS Response Headers by configuring the "CustomHeaders"-section in the web.config, by writing custom IIS modules, which modified the headers using the request lifecycle, and also by writing additional rules with the URL Rewriting tool. Nothing worked...
In the end we found out someone extended the firewall, which onwards would add new header and overwrite my changes of the HTTPS response. Mystery solved :)
In my case, I was asked by Network and Information Security Team to add the Content-Security-Policy: default-src 'self'; header in my IIS 8.5 SharePoint Server 2016 Publishing website which affects all the system pages and the browser refuses to execute the scripts and in console we got this error
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-HU8dCwZsqh4m8QG0y6qanyzPx1d6YSGHuAN0QXmxZvw='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
I then change the header to Content-Security-Policy:frame-ancestors 'self'; and it resolves the issue.
I actually got this from the JohnC's Answer that helps me resolving the issue

Content-Security-Policy refused to connect to

Refused to connect to
'https://w1xxx.ldxxx.net:7031/direct/v1609/something?preview=FALSE'
because it violates the following Content Security Policy directive:
"default-src 'unsafe-inline' 'unsafe-eval 'self' *.googleapis.com
*.google-analytics.com *.gstatic.com *.googletagmanager.com aaa.dev.someplace.com *.test.ldxxx.net *.testauto.ldxxx.net
w1xxx.ldxxx.net aaa.xxz.ldxxx.net aaa.test.someplace.com
aaa.staging.aaac.net aaa.yyy.ddd.as.nz". Note that 'connect-src' was
not explicitly set, so 'default-src' is used as a fallback.
Bearing in mind I have masked the urls as to not give away sensitive information.
My exact content-security-policy http header is in the quoted error text. The error stated that:
https://w1xxx.ldxxx.net:7031/direct/v1609/something?preview=FALSE
violates my content-security-policy. But why? Shouldn't https://w1xxx.ldxxx.net:7031/direct/v1609/something?preview=FALSE be allowed to be connected to, because of w1xxx.ldxxx.net in my content-security-policy?
What is the URL of the page where the policy is defined, and where this violation occurs?
If this page is not served on port 7031, you would have to specify w1xxx.ldxxx.net:7031 as the host entry in your policy.
Per the CSP specification, if the port isn't specified, it defaults to the port from the URL's scheme (default HTTPS uses 443).
If expression does not contain a port-part, and url’s port is not the
default port for url’s scheme, return "Does Not Match".

Resources