Content Security Policy - Server is not considering meta content - content-security-policy

I have a strange problem with one server (Hosting company is etisalat in UAE). The website is not loading external scripts (also google fonts) or background images and some javascript.
The error I get in console is like:
"Content Security Policy: The page’s settings blocked the loading of a resource at https://fonts.googleapis.com/css?family=Noto+Sans:400,700,400italic (“default-src http://riviera.ae http://googleapis.com”)"
I've tried adding the following to section:
<meta http-equiv="Content-Security-Policy" content="default-src * 'unsafe-inline' 'unsafe-eval'">
But still it does not load it. The images and other works well in internet explorer (But XHR gives error. I haven't tested it completely).
Also tried the following in .htaccess
Header set Content-Security-Policy "default-src 'self' googleapis.com; script-src 'self' www.googleapis.com;"
Hope it's not against stackoverflow policies to share the link of the domain (riviera.ae). Thanks for checking it out.
NB: I tried putting the same application in another server (*nix based systems with apache 2+) and it works fine.
Even a phpinfo() gives the output in plain text (No PHP logo is shown nor the table styles are rendered).

I got it working by putting "Header unset Content-Security-Policy" in the .htaccess file. Have to add other derivatives to make it secure though.

Related

Refused to frame ‘https://my.matterport.com/’ because an ancestor violates the following Content Security Policy directive: “frame-ancestors ‘self’”

I’m trying to add Content Security Policy to my Gatsby x Netlify website through a _headers file. Everything works fine, except for a Matterport iFrame that doesn’t want to be displayed. The error message I see in the console is
Refused to frame 'https://my.matterport.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".
In my headers file, I added the following X-Frame-Options:
X-Frame-Options: ALLOW-FROM https://*.matterport.com/
And I also have this frame-src in my Content Security Policy:
frame-src 'self' https://www.youtube.com/ https://my.matterport.com https://matterport.com;
But the iFrames still look like this:
Matterport iFrames not displaying
Can someone help me figure out what I’m doing wrong here?
Thank you!
I recently came accross the same error message and corrected this by removing a double forward slash before the video link, my original iFrame inclusion looked like: https://my.matterport.com/show//?m=XXXXXXX replacing this with https://my.matterport.com/show/?m=XXXXXXX was enough to get the iFrame showing again.

How to fix "Content Security Policy - contains an invalid source" error?

Im getting this error and I don´t know why, the scripts that I have included works?
And the error only shows up when I load a subpage. Not when I load the startpage.
So what Im I doing wrong?
The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored.
<meta http-equiv="Content-Security-Policy" content="script-src * 'unsafe-inline' 'unsafe-eval' https://checkout.dibspayment.eu https://www.google-analytics.com https://maps.google.com;">
Any input really appreciated, thanks.
And the error only shows up when I load a subpage. Im getting this error and I don´t know why
The source list for Content Security Policy directive 'script-src' contains an invalid source: ''strict-dynamic''. It will be ignored.
It's not an error, just a warning that you browser does not support the 'strict-dynamic' token. (guess you use Safari).
I guess that subpage is a some Google's iframe (oAuth2, reCaptcha, etc). That iframe publush it's own CSP wich contains the 'strict-dynamic' token and this CSP was created in browsers backward compatibility mode (Google make such).
That's a warning from third-party CSP, not your's.
the scripts that I have included works?
Your parent page has own CSP which allows scripts. The CSP of nested browsing context (iframe) does not affects parent page (except the frame-ancestors directive).
So what Im I doing wrong?
Nothing. It's an intended regular work of Content Security Policy.
Each browsing context can have its own CSP. But all warns will flow to one browser console, and that is mislead.

I am trying to Understand Content-Security-Policy Frame Ancestors tag

I am trying to display one of my sites in a iframe inside my IONIC app. I need to restrict my website from being iframed by other websites. I decided to go with the content-security-policy response header where
Content-security-policy: frame-ancestors ${website-to-be-allowed}
made sure only the websites mentioned could iframe my website however I needed my ionic app to iframe my website as well and Since Ionic apps are served as file system I am okay with giving access to all file system to iframe my website. When I added
Content-security-policy: frame-ancestors ${website-to-be-allowed} filesystem
as mentioned here,
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
I tested on both my Android and IOS app and both threw the same error saying,
which says,
Refused to display ${website} in a frame because an ancestor violates the following content security policy directive: "frame-ancestors filesystem"
Here is the error that pops up enter image description here
Just for reference I got it working using:
file://* filesystem:
So the overall content security policy could look like this:
Content-Security-Policy: "...; frame-ancestors 'self' file://* filesystem:;
You need the colon at the end of "filesystem". Try
frame-ancestors ${website-to-be-allowed} filesystem:

CSP report-only doesn't report passive mixed content?

I am using the below policy. It is not reporting passive mixed content like images loaded using http by a page in iframe.
default-src https:; report-uri <https reporting endpoint>;
Apparently, block-all-mixed-content directive also doesn't work: https://github.com/w3c/webappsec-csp/issues/26
Tried a more detailed policy like in https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet#Mixed_Content_Policy with img-src https: data: as well. But that doesn't work too.
Is it that CSP reporting doesn't work for passive mixed content?
CSP does not "trickle down" to pages loaded in an iframe, it applies only to the resource it was delivered with. If you want to declare a CSP for the page in the iframe, you'll have to include a CSP header for that page too.

Browser not using metatag Content Security Policy

I am trying to load some css and scripts via some CDNs to improve loading times but I am getting a content security policy issue, but after a fair amount of time reading up on it and trying out different polices it is still giving my the same error.
Currently my policy looks like this -
<meta http-equiv="Content-Security-Policy" content="default-src 'self' https://code.jquery.com/ https://cdnjs.cloudflare.com/ https://maxcdn.bootstrapcdn.com/">
which from my understanding should mean I can load anything from the site itself and the 3 URLs E.G for maxcdn I should be able to load https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js
I did try the very simple and not to be used policy of
<meta http-equiv="Content-Security-Policy" content="default-src *">
but that didn't change anything.
The error I'm getting is -
Refused to load the script 'https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
The script its trying to load (I will do fall backs after i get this working)-
<script type="text/javascript" src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"
integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa"
crossorigin="anonymous"></script>
I have tested in chrome (55.0.2883.87) and Edge.
From the error message its as if its not taking my policy but using the default policy set by the browser?
Any help would be much appreciated :)
The script loads without a problem when I test it with a CSP provided by the meta tag you included in your question.
I was able to reproduce the problem by including a conflicting CSP using an HTTP header.
A real HTTP header will trump a meta tag.
You need to make the changes to your server side code or HTTP server configuration instead of to the document.
I had a similar problem due to... an ad blocker (uBlock Origin)

Resources