Questions tagged [content-security-policy]
Use to tag questions about Content Security Policy, either using the header or meta tag variants
19 questions
1
vote
0
answers
19
views
Need to implement Google Tag Manager, but have a CDP and caching strategy won't allow nonce to work
I'm working on a web application, and I've set a Content-Security-Policy header for all responses. I received a request to add Google Tag Manager script tags to the app, but I don't want to allow ...
3
votes
1
answer
66
views
prevent content-security-policy from defeating page caching
I run a website with inline javascript.
I created a security policy so javascript can run inline. Then Pagespeed insights shows this issue:
When I read about CSP nonces and hashes, it means ...
- 139
1
vote
1
answer
4k
views
nginx Content-Security-Policy headers: why do they have to be all on the same line? (version 1.18 vs 1.22)
I have two different servers, one using nginx 1.18 and another using 1.22.
The headers on the 1.18 version are:
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline';
...
- 113
2
votes
1
answer
4k
views
Content Security Policy error when trying to share images from Google Drive on my website
I'm using Google Drive to upload my images, so my images' URL in my website are like this:
<img src="https://drive.google.com/uc?export=view&id=1SJcEZndPKl7DxU1K8Iit" />
In my ...
2
votes
1
answer
48
views
Is there any problem with moving GA4 tracking code to a file on my own domain, and updating the file contents daily?
I have a site that I intentionally set up with a very strict CSP, such that inline scripts won't work.
Additionally, any 3rd party scripts require a subresource integrity hash, to ensure the 3rd party ...
- 863
2
votes
0
answers
679
views
Allow Content Security Policy For Iframe With data:text/html
I'm trying to use iframe with data:text/html. My iframe tag is:
<iframe id="preview" class="preview" src="data:text/html;charset=utf-8,%3Cscript%20src%3D%22https%3A//cdnjs....
1
vote
1
answer
1k
views
I have the bulk of my CSP policy in .htaccess. How do I add to it in the HTML page header?
My relevant CSP in .htaccess is
Header always set Content-Security-Policy "upgrade-insecure-requests; \
default-src 'self'; \
img-src https: data:; \
object-src 'none'; \
script-src 'self'...
- 2,941
4
votes
1
answer
387
views
CSP added but Lighthouse flags it as missing
Ive added a CSP via PHP but Lighthouse is still saying
'Ensure CSP is effective against XSS attacks'
Heres my CSP, is there something missing or set incorrectly that could be causing Lighthouse to ...
- 121
1
vote
0
answers
45
views
Patent warning for using nonce feature of Content-Security-Policy
Just asking if anyone has come across something like this and I'm really not sure what part of stackexchange this really fits in...
I'm not going to post details of the company or patent information, ...
- 111
1
vote
0
answers
95
views
Is it safe to delete crossdomain.xml now that Flash is no longer supported
A website I have contributed to has a crossdomain.xml file live.
Through my personal Googling it seems that this file is related exclusively related to cross domain permissions for Adobe Flash.
As ...
- 666
0
votes
1
answer
36
views
Wordpress: console errors from web sites I have linked to
On this one page of my site, https://litchfieldmagazine.com/litchfield-county-design-resource-guide/
I have hundreds of console errors that are coming from sites I have linked to in the posts ...
- 111
1
vote
0
answers
76
views
Chrome gives a content-security-policy warning when viewing an image in its own tab on my site
I'm setting Content-Security-Policy in htaccess.
I use a pretty basic and strict policy:
Header always set Content-Security-Policy
"default-src 'self';
script-src 'self' http: https: *.googleapis....
- 321
2
votes
0
answers
443
views
Generating the base64 of sha256 of a file for Content Security Policy of a web page
The issue
I have a small private Apache2 web server running on Debian 10 Buster with security on my top list. Right now, I'm struggling with:
How to generate in the Linux terminal the base64-encoded ...
- 433
2
votes
0
answers
372
views
Do Content-Security-Policy errors affect SEO rankings?
There is a website that allows users to post content and embed images from external links. This website has a Content-Security-Policy that allows only a small list of other websites in img-src.
If a ...
- 121
1
vote
1
answer
87
views
Missing "policy" stated by Yahoo since DMARC implementation?
Since the implementation of DMARC on our server we get feedback reports from Yahoo, stating we do not publish a "policy" which therefore cannot be evaluated (to my understanding).
However the same ...
- 11