CSP header not detected - content-security-policy

For some reason both Mozilla Observatory and CSP validator are not detecting the CSP header in my .htaccess file yet the header is visible when viewed through Chrome.
Here's my current CSP header in my .htaccess file;
Content-Security-Policy: script-src 'nonce-$RANDOM' 'strict-dynamic' 'unsafe-inline' object-src 'none'; base-uri 'none'; report-uri https://altfit.report-uri.com/r/d/csp/enforce;
Also I noticed that the nonce is not working, inline scripts still load without nonce in place but if I make modifications to the CSP it can restrict script execution and the display of inline elements.
Info:
Server is Light Speed.
PHP version is 7.1

Fixed the issue by modifying the line in .htaccess to the following;
Header set Content-Security-Policy: "default-src https: 'unsafe-inline'; report-uri https://altfitcom.report-uri.com/r/d/csp/enforce;"
Only issue now is the addition of unsafe-inline but from what I have read strict-dynamic and nonce do not work as a cross platform solution and I have to have inline js for some onclick events.

Related

Content Security Policy: Blocking certain internal script

I have a certain internal js-file which I want to block with the use of the Content Security Policy.
I know it's possible to disable external files, but I didn't found informations regarding a certain internal script.
At the moment I use the following CSP:
img-src 'self' data:; default-src 'self' 'unsafe-inline'
So I'm searching a solution to make an exception for default-src 'self'.
If you don't want to allow scripts from 'self', you will need to remove 'self' from default-src and implement all the needed source directives that currently use default-src as a fallback. If you set default-src to 'none' or the remaining value of 'unsafe-inline' the browser errors will tell you what you need to add.

Working on CSP headers, seeing console browser as Refused to execute inline script because it violates the following Content Security Policy directive

#console browser issue for Content security Policy
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-9X08/o2ns8hEbTzT0V1Xyn6yYc8qftFOKmH3KNb8dWo='), or a nonce ('nonce-...') is required to enable inline execution.[enter image description here][1]
#Image of the error
[1]: https://i.stack.imgur.com/7R9sp.png
Code written for CSP
frame-ancestors 'self' https:
script-src 'self';
object-src 'none';
base-uri 'none';
style-src 'self' fonts.googleapis.com 'unsafe-inline';
media-src *;
img-src 'self';
It seems the error indicated there's issue with using inline-script.
which looks like
<script>
your codes
</script>
If you're going to use inline script, add 'unsafe-line' to script-src directive.
Current setting only allows scripts that's source of your domain.
ex)
<script src="/yourDomain/public/yourScript.js">
Your script-src directive of 'self' only allows scripts to be loaded as script files from the same domain. Your page also has inline scripts that need to have permission in the CSP to run. You have a few choices:
Move the script code to a separate .js file hosted on the same domain. If you use a different host you'll need to allow that host in your script-src directive.
Add 'unsafe-inline'. This will allow ALL inline scripts, which will pretty much remove the XSS protection that CSP is able to give.
Add the suggested hash value 'sha256-9X08/o2ns8hEbTzT0V1Xyn6yYc8qftFOKmH3KNb8dWo=' to script-src allowing this one script. This is a good solution if there are only one or a few inline scripts to allow.
Add a nonce. Nonces should change on every pageload and are a good solution for dynamic scripts if you are able to inject nonces correctly.

Why doesn't google.com use CSP?

When checking Google's HTTP headers I noticed there is no CSP header. Considering they led great efforts when dealing with CSP level 3, I wonder why is that so?
HTTP headers
After some more research I realized google.com does use CSP indeed. CSP can be used directly from a meta tag instead of a HTTP header.
Actually now Aug-2022, I see the following reponse header.
content-security-policy: object-src 'none';base-uri 'self';script-src 'nonce-CBtB0pB_6ERNGUP11XPOxw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1

Content security policy for frame. frame-src vs frame-ancestors

What do frame-src and frame-ancestors do exactly? The definition shows the purpose is the same to define valid contents for frames for both directives.
When to use which one? I was able to load an external domain content in iframe using -
frame-ancestors and default-src rules
frame-src
Both are working but couldn't get correct use cases.
default-src, frame-ancestors, and frame-src are all part of the Content-Security-Policy response header.
frame-src
Restricts what domains and page can load in an iframe.
The HTTP Content-Security-Policy (CSP) frame-src directive specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe>.
For example: If the website at https://example.com has a response header of Content-Security-Policy: frame-src 'self', it can only load https://example.com inside iframes.
frame-ancestors
Restricts what domains and page can be loaded in from an iframe (similar to the X-Frame-Options header, but takes precedence over it).
The HTTP Content-Security-Policy (CSP) frame-ancestors directive specifies valid parents that may embed a page using <frame>, <iframe>, <object>, <embed>, or <applet>.
For example: If the website at https://example.com has a response header of Content-Security-Policy: frame-ancestors 'self', it can only be loaded inside iframes from https://example.com.
default-src
Acts as the default value for any fetch directive that isn't explicitly set (here is a list of all fetch directives)
The HTTP Content-Security-Policy (CSP) default-src directive serves as a fallback for the other CSP fetch directives. For each of the following directives that are absent, the user agent will look for the default-src directive and will use this value for it.
For example: Content-Security-Policy: default-src 'self' will default to the value 'self' for all fetch directives. Other directives will be unaffected.
Note: since frame-ancestors is not a fetch directive, setting default-src won't restrict it. It needs to be set separately.

Evernote Web Clipper and Content Security Policy

We're currently introducing the Content Security Policy to a website. Started by inserting the Content-Security-Policy-Report-Only header to get some feedback about the impact. Soon we found out that the Evernote Web Clipper plugin in the Safari browser violates the CSP directives as it seems to inject some code into the page.
We get this in the CSP report:
{"csp-report":
{
"document-uri":"http://example.com/index.html",
"violated-directive":"default-src 'self'",
"original-policy":"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; report-uri http://example.com/report.html",
"blocked-uri":"safari-extension://com.evernote.safari.clipper-uahs7eh2ja",
"source-file":"http://example.com/js/jquery.js",
"line-number":2
}
}
How do we need to modify the CSP header so that the Evernote Web Clipper plugin is not blocked? The blocked-uri seems to contain a user-specific id at the end which makes it pretty difficult.
You're right, the last bit of the blocked uri does vary across computers, and you can't use a wildcard to whitelist it. The only way to unblock the Web Clipper is to unblock all Safari extensions by putting safari-extension://* in default-src, so your policy would look like
default-src 'self' safari-extension://*; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; report-uri http://example.com/report.html

Resources