Content-Security-Policy refused to connect to - security

Refused to connect to
'https://w1xxx.ldxxx.net:7031/direct/v1609/something?preview=FALSE'
because it violates the following Content Security Policy directive:
"default-src 'unsafe-inline' 'unsafe-eval 'self' *.googleapis.com
*.google-analytics.com *.gstatic.com *.googletagmanager.com aaa.dev.someplace.com *.test.ldxxx.net *.testauto.ldxxx.net
w1xxx.ldxxx.net aaa.xxz.ldxxx.net aaa.test.someplace.com
aaa.staging.aaac.net aaa.yyy.ddd.as.nz". Note that 'connect-src' was
not explicitly set, so 'default-src' is used as a fallback.
Bearing in mind I have masked the urls as to not give away sensitive information.
My exact content-security-policy http header is in the quoted error text. The error stated that:
https://w1xxx.ldxxx.net:7031/direct/v1609/something?preview=FALSE
violates my content-security-policy. But why? Shouldn't https://w1xxx.ldxxx.net:7031/direct/v1609/something?preview=FALSE be allowed to be connected to, because of w1xxx.ldxxx.net in my content-security-policy?

What is the URL of the page where the policy is defined, and where this violation occurs?
If this page is not served on port 7031, you would have to specify w1xxx.ldxxx.net:7031 as the host entry in your policy.
Per the CSP specification, if the port isn't specified, it defaults to the port from the URL's scheme (default HTTPS uses 443).
If expression does not contain a port-part, and url’s port is not the
default port for url’s scheme, return "Does Not Match".

Related

Content Security Policy: Refused to load image

I'm getting the following Content Security Policy error:
Refused to load the image https://www.xy.de/images/icons/shirt.png because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
I want to fix this error with the use of my .htaccess file. I tried to set the header like that:
<IfModule mod_headers.c>
Header always set Content-Security-Policy "script-src 'none' img-src 'self' data:"
</IfModule>
This shows no effect, I still get the same CSP-error. What would be the correct way to set up the header?
Based on your input and the error message you are likely trying to add a CSP to a page that already has one. Adding another policy won't make the existing one less strict. The existing policy can be found in a response header or a meta tag. You need to identify the policy and where it is set and modify that one. Alternatively you can remove it and use the one you have shown above.

'strict-dynamic' is present, so host-based whitelisting is disabled

I'm loading a dummy JS script from origin like:
<script src="http://www.this-host.test/loadMe.js"></script>
with CSP header set to:
script-src 'self' 'strict-dynamic' 'nonce-{randomString}';
Since the script source is comming from it's origin host and is allowed by CSP header than loadMe.js should load and execute.
Instead I get:
Refused to load the script 'http://www.this-host.test/loadMe.js' because it
violates the following Content Security Policy directive: "script-src 'self' 'strict-dynamic' 'nonce-{randomString}';.
'strict-dynamic' is present, so host-based whitelisting is disabled.
tested on Macintosh; Mac OS X 10_15_2, browsers Chrome/79.0.3945.117, Firefox/71.0.
I don't get this message on Safari though.
Perhaps good to note that I'm testing it locally.
Anyway I don't want to use nonce-{randomString} when CSP header allows resources to be loaded from origin host.
Any thoughts on that?
According to csplite.com server with CSP header script-src 'self' 'strict-dynamic' 'nonce-{randomString}' set...
'strict-dynamic' only works in conjunction with 'hash-value' or 'nonce-value', and if they are absent, all scripts on the page will be disabled, because 'strict-dynamic' overrides the 'unsafe-inline' action and disables whitelisting of host-based sources, including the 'self' token
... which tells me that If my loadMe.js file is loading another file (or it doesn't have to) nonce="{randomString}" attribute in HTML tag must be set no matter if the file is loaded from same host or whitelisted host.

How can i resolve this content security policy error?

when i run my node index file my getting this error in the browser
Refused to load the image 'http://localhost:3000/favicon.ico' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
can any help me how can i resolve this error ?
The most basic approach to solve this issue is not to send a Content-Security-Policy response header if the client requests /favicon.ico.
However, depending on your specific use case there might be better solutions, e.g. setting img-src 'self' for the file or all static images below the root path.
In all cases you should return a HTTP 404 Not Found status code if you don't have a /favicon.ico.

IIS custom header "Content-Security-Policy" is overwritten

I have currently an issue with a SharePoint web application, where all websites return a response header content-security-policy: default-src 'self'; object-src 'none'; form-action 'self', which breaks the website's view using Chrome or Firefox, as styles won't be applied and Javascript won't be executed.
Console-Log
Refused to execute inline script because it violates the following Content Security Policy directive: default-src 'self'.
Either the 'unsafe-inline' keyword, a hash ('sha256-WFRyoBrQbrYtLpGIdyBszDzxQni3b0V/wUirab0OhKM='), or a nonce ('nonce-...') is required to enable inline execution.
Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
The problems only occurs if the websites are addressed using HTTPS. I already checked the HTTP Response Headers in IIS. content-security-policy is not specified. If I add it myself, it gets overwritten and is not sent in the response header. There are only two solutions installed, which do not mess with the response headers.
Has anyone an idea what else could change the custom response header and overwrite the one defined in the web.config? Or is there an other way to change the Content-Security-Policy?
I tested changing the IIS Response Headers by configuring the "CustomHeaders"-section in the web.config, by writing custom IIS modules, which modified the headers using the request lifecycle, and also by writing additional rules with the URL Rewriting tool. Nothing worked...
In the end we found out someone extended the firewall, which onwards would add new header and overwrite my changes of the HTTPS response. Mystery solved :)
In my case, I was asked by Network and Information Security Team to add the Content-Security-Policy: default-src 'self'; header in my IIS 8.5 SharePoint Server 2016 Publishing website which affects all the system pages and the browser refuses to execute the scripts and in console we got this error
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-HU8dCwZsqh4m8QG0y6qanyzPx1d6YSGHuAN0QXmxZvw='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
I then change the header to Content-Security-Policy:frame-ancestors 'self'; and it resolves the issue.
I actually got this from the JohnC's Answer that helps me resolving the issue

Can I use CSP to limit requests to both https: AND 'self'?

I originally had this in my CSP header: default-src 'self';, which limits sources to only my domain, but it says nothing about the scheme/protocol. From what I can gather, this will allow sources to be loaded over http if the page itself was loaded over http. I'm using HSTS and CDN redirects to try to keep all traffic on https, but I want to cover this case off anyway. (In truth, I'm trying to make this header checker give me all green ticks.) Edit: srcclr will happily give all green ticks when using 'self'. I just had to fix some typos.
Anyway, I tried changing the CSP directive to be default-src https: 'self';, but it would seem that adding the scheme allows resources to be loaded from any domain, as long as it's over https. I.e, if either of the rules (https or 'self') matches, then the request is allowed. I tested this by playing around with URLs in the chrome dev tools.
Is there a way to indicate:
All resources should be loaded over https; AND
Resources should only come from the original domain?
Something like default-src https://'self';, but I don't think that's valid, is it?
One solution is to hardcode the domain name, but I'd like to use 'self' if it's possible.
According to https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives, the 'self' content source keyword:
Refers to the origin from which the protected document is being served, including the same URL scheme and port number.
If you serve the web page over https, then self only allow https request to the same domain.
The CSP2 specification http://www.w3.org/TR/CSP2/#match-source-expression says the same thing:
If the source expression is a case insensitive match for 'self' (including the quotation marks), then:
Return does match if the origin of url matches the origin of protected resource’s URL.

Resources