I am building a Zoom App which requires me to set OWASP headers. This is the error I'm seeing in Safari dev tools on MacOS.
Missing OWASP Secure Headers: ["X-Content-Type-Options","Content-Security-Policy","Referrer-Policy"]
for URL https://some.externalsite.com/xyz.html
It works fine on a Chrome dev tools on a PC.
My markup isn't particularly exciting..
...my site
<iframe src="https://some.externalsite.com/xyz.html" />
... end my site
I have the following headers:
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Content-Security-Policy: default-src * 'unsafe-inline' 'unsafe-eval'; worker-src * data: blob: 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; style-src * 'unsafe-inline'; object-src * 'unsafe-inline'; frame-ancestors 'self' https://some.externalsite.com;");
I've tried various combinations of frame-src, child-src, and frame-ancestors to the Content-Security-Policy with no luck.
Related
This page lists using nonce as preferable to unsafe-inline for styles, but if everything besides style-src uses "default-src 'self'", is there any benefit to using nonce?
The nonce based approach in the link you refer to is just an example, clearly you should use the nonce based approach for both styles and scripts.
This approach is called strict CSP and the advantage with using a nonce, is that you don't need to white-list all the domains. For example, check the CSP policy for twitter.com, its huge!
The CSP for Google docs looks like this, a pretty slim policy:
Content-Security-Policy:
base-uri 'self';
object-src 'none';
report-uri https://docs.google.com/document/cspreport;
script-src 'report-sample' 'nonce-Y7j7Ul3bnFVzbgVJ0-Tb7a' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';
worker-src 'self' blob:
Every other browser understands when I say:
add_header Content-Security-Policy default-src 'self'; script-src 'self' unsafe-inline; connect-src wss://mysite.com;
In my headers. But Safari says:
Refused to connect to wws://mysite because it doesn't not appear in
the connect-src directive in Content Security Policy. [Error]
SecurityError (DOM Exception 18): The operation is insecure.
(anonymous function) (myjavascripturl.js)
Why does Safari not understand my Content-Security-Policy headers?
In the policy you have provided there are no single quotes around unsafe-inline which are required. Change this:
add_header Content-Security-Policy default-src 'self'; script-src 'self' unsafe-inline; connect-src wss://mysite.com;
To this:
add_header Content-Security-Policy default-src 'self'; script-src 'self' 'unsafe-inline'; connect-src wss://mysite.com;
-------------------------------------------------------------------------^-------------^
That could be affecting the parsing of the policy.
The other concern is in the error message you provided.
Refused to connect to wws://mysite
-----------------------^
Do you have a typo somewhere in your code, should this be wss?
The chrome browser return http 200 from disk cache. But I don't find "expire" or "cache-control" in response header? As I know, there should be expire or cahce-control in response, then the resource could be from cache.
Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
Access-Control-Allow-Methods:GET, POST, OPTIONS
Access-Control-Allow-Origin:*
Content-Encoding:gzip
Content-Security-Policy-Report:default-src 'self' 'unsafe-eval'; img-src *; child-src 'self' *; connect-src 'self' * wss:; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.modules.yaas.io js.stripe.com *.sapjam.com *.hanatrial.ondemand.com; style-src 'self' 'unsafe-inline' sapui5.hana.ondemand.com data: *.yaas.io api.eu.yaas.io api.us.yaas.io s3.amazonaws.com accounts.sap.com
Content-Type:application/x-javascript
Date:Fri, 14 Jul 2017 03:23:27 GMT
Etag:W/"59675378-8db28"
Last-Modified:Thu, 13 Jul 2017 11:03:20 GMT
Server:nginx/1.11.13
Vary:Accept-Encoding
X-Frame-Options:SAMEORIGIN
X-Vcap-Request-Id:34e06156-0a53-49d8-6e1e-f0ad50ac46bb
X-Xss-Protection:1; mode=block
Please see the http response header screen shot
When I use firefox firebug to do investigation. There is a cache section indicate a expire date, but there is no expire date in response header.
If server do not provide explicit expiration times, a cache MAY assign a heuristic expiration time.
Defined in RFC 7234 Section 4 and Section 4.2.2
One heuristic algorithm is
('date header value' - 'last-modified header value') * 10%
Content-Security-Policy HTTP Header Reference:
https://content-security-policy.com/
Chrome error: jQuery font error : 'font-src' was not explicitly set, so 'default-src' is used as a fallback
I recently had a new Content-Security-Policy header enforced for our web servers and ran into this issue for jQuery 1.11.3 fonts. Unfortunately it is a legacy web application and relies on this older version of jQuery.
Is there an example of how to set the font-src header correctly for NGINX web server?
So this is from this gist:
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";
particularly relevant is:
font-src 'self' https://themes.googleusercontent.com;
basically if you have a bunch of rules you should split each one with a semicolon then "special" ones you should have in quotes and any domains like fonts.google.com can just be listed with a spacebar no quotes. It is exactly the same syntax meta tag Http equivalent Content-Security-Policy headers.
I am getting this 3 errors
GET http://www.desktop.just4bettors.mobi/fonts/fontawesome-webfont.woff2?v=4.3.0
GET http://www.desktop.just4bettors.mobi/fonts/fontawesome-webfont.woff?v=4.3.0
GET http://www.desktop.just4bettors.mobi/fonts/fontawesome-webfont.ttf?v=4.3.0
I am configuring my NGINX for Content-Security-Policy, everything was working before, Font-Awesome was loading correctly until I set up the Content-Security-Policy, and this is what I have in that file
add_header Content-Security-Policy "style-src 'self' 'unsafe-inline'
https://fonts.googleapis.com
https://fonts.gstatic.com
https://themes.googleusercontent.com
https://assets.zendesk.com;
font-src 'self' https://themes.googleusercontent.com
https://fonts.gstatic.com;";