can you tell me please where do I set these options on the server (godaddy linux apache)? shoudl I just place them in htaccess file?
Header set X-Frame-Options: “ALLOW_FROM https://specificdomain.com”
Header set Content-Security-Policy: “frame-ancestors https://specificdomain.com”
Yes you can put it in .htacces file
like this
Header always set X-FRAME-OPTIONS "DENY"
for more information read on mdn
Related
I'm using a wildcard like so: *.example.com under the impression that totallysafe.example.com, foobar.example.com, some-other.example.com and whatever other subdomain would be allowed.
So for example, I'm using NGINX to apply the CSP header (minified version of my source code):
set $SCRIPT_DIRECTIVE "script *.google.com";
set $REPORT-URI "report-uri wonkyprefix.ingest.sentry.io/blahblahblah";
add_header Content-Security-Policy "${SCRIPT_DIRECTIVE}, ${REPORT-URI}";
When I'm monitoring CSP violations coming from my app in Sentry, I see script-src violations for apis.google.com.
Any ideas or solutions?
I have a problem loading YouTube thumbnails on Firefox, the images are blocked while on Chrome, it works fine. On Firefox I get the error NS ERROR INTERCEPTION FAILED in the network tab from the developer tools and if I remove my CSP in my htaccess file, those images are loaded correctly.
My CSP looks like this:
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options: "nosniff”
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.laurentwillen.be https://*.googleapis.com https://*.googletagmanager.com https://www.google-analytics.com/ https://www.google.com https://cse.google.com https://*.gstatic.com https://*.youtube.com/ https://*.mobilemultimedia.be"
Header set Referrer-Policy "same-origin"
and the call to the image looks like this:
<img src="https://img.youtube.com/vi/xSbxgNuBfR0/0.jpg" alt="youtube_preview" width="100%">
Do you know how I could go around this and make Firefox load those images just like Chrome?
Thanks
I would like to render an iframe with the source being Github like so:
<iframe src="https://gist.github.com/user45445/9bf8d568e3350146ba302d7d67ad576f"> </iframe>
This is the error I get in the console:
Refused to display 'https://gist.github.com/fresh5447/9bf8d568e3350146ba302d7d67ad576f' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
I was researching how to specify my Content Security Policy in my Node server, to specify that it should accept any iframes from github
So I installed csp-helmet and added this to my server code:
var csp = require('helmet-csp')
app.use(csp({
// Specify directives as normal.
directives: {
frameAncestors: ['*.github.com'], //I thought these two did the same, so I tried them both.
childSrc: ['*.github.com']
},
// Set to true if you only want browsers to report errors, not block them.
// You may also set this to a function(req, res) in order to decide dynamically
// whether to use reportOnly mode, e.g., to allow for a dynamic kill switch.
reportOnly: false,
// Set to true if you want to blindly set all headers: Content-Security-Policy,
// X-WebKit-CSP, and X-Content-Security-Policy.
setAllHeaders: false,
// Set to true if you want to disable CSP on Android where it can be buggy.
disableAndroid: false,
// Set to false if you want to completely disable any user-agent sniffing.
// This may make the headers less compatible but it will be much faster.
// This defaults to `true`.
browserSniff: true
}))
But still the same error..
I have been trying to look at the official docs and the HTML5 rocks guide
Not sure if I am super close or taking the completely wrong approach.
Update
I have also tried to set the CSP via meta tag.
<meta http-equiv="Content-Security-Policy" content="child-src https://gist.github.com; frame-ancestors https://gist.github.com;">
than I received this error:
Content Security Policies delivered via a <meta> element may not contain the frame-ancestors directive.
The frame-ancestors value acts on the source of the iframe not the document framing it. Setting CSP on your page will have no effect on the framing. Think of frame-ancestors like X-Frame-Options on steroids: it restricts what is allowed to frame the content. Gist intentionally does not allow directly framing gists but instead provides a way to embed a Gist.
frame-ancestors 'none' == X-Frame-Options: DENY
As oreoshake points out, the problem here is not your CSP, but the CSP on GitHub. It is GitHub that is preventing you from framing them so there is nothing you can do with your CSP to resolve this.
I got the exact same error when using the wrong URL in my iframe's src field. I had copied the URL directly from the address bar instead of clicking on embed and copying it from there.
I am trying to add additional security headers in play framework configuration but my changes are not getting reflected. I read through the play documentation and it says the play.filters.headers only accept 5 pre-defined security headers.
# Security headers filter configuration
headers {
# The X-Frame-Options header. If null, the header is not set.
frameOptions = "DENY"
# The X-XSS-Protection header. If null, the header is not set.
xssProtection = "1; mode=block"
# The X-Content-Type-Options header. If null, the header is not set.
contentTypeOptions = "nosniff"
# The X-Permitted-Cross-Domain-Policies header. If null, the header is not set.
permittedCrossDomainPolicies = "master-only"
# The Content-Security-Policy header. If null, the header is not set.
contentSecurityPolicy = "default-src 'self'"
}
Any idea how to do if i need to add additional headers in the configuration apart from the above 5 mentioned.
Play version is 2.2.3
Play's security headers filter isn't available for Play 2.2.x.
It was first introduced with Play 2.3
You probably were looking at the latest (2.4.x at the time of writing this) docs.
Following the procedure in this article I disabled the ARR Affinity cookie on my Azure Web App with this header in my responses:
Arr-Disable-Session-Affinity: True
It does remove the cookie, which is very much a good thing. But, the header itself is still coming through. This header doesn't really hurt anything, but according to that same doc it shouldn't be there:
If you add the Arr-Disable-Session-Affinity header to disable the affinity cookie, ARR will not set the cookie, but it will also remove the Arr-Disable-Session-Affinity header itself, so if your process is working correctly, you will see neither.
So...how do I get it to remove the header, too?
if you have added the Arr-Disable-Session-Affinity custom header as below in your Azure Web App web.config, then it is a correct behavior you still see the Arr-Disable-Session-Affinity header with value set to true and the ARR cookie removed in your HTTP response. I think it's an incorrect statement in the reference blog you provided which stated that the Arr-Disable-Session-Affinity header will be removed.
If you want to remove that header then the cookie will present, it's mutually exclusive.
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Arr-Disable-Session-Affinity" value="true" />
</customHeaders>
</httpProtocol>
The article you refer to doesn't say specifically how to add the header so I can't tell if you did it correctly. I haven't tested but according to this article you should set it in the Application_PreSendRequestHeaders:
protected void Application_PreSendRequestHeaders()
{
Response.Headers.Remove("Server");
Response.Headers.Remove("X-AspNet-Version");
Response.Headers.Remove("X-AspNetMvc-Version");
Response.Headers.Add("Arr-Disable-Session-Affinity", "True");
}