Suppose there are A,B,C,D and E js files present in a CDN but we are using only B and C.
Currently script-src in csp allows all js files being downloaded from that CDN but I want to restrict the download only to B and C for my application?
Can this be done in Content security policy configuration?
<add name="Content-Security-Policy" value="default-src 'self'; script-src 'self' https://cdnjs.cloudflare.com />
You can use pathes in the Content Security Policy (path should have a trailing slash). For example:
script-src cdnjs.cloudflare.com/ajax/libs/jquery/3.5.1/;
does allow to load any script frim the specified path, for instance https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.1/jquery.min.js or https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.1/jquery.js,
but not https://cdnjs.cloudflare.com/ajax/libs/jquery/2.6.1/jquery.js.
You can specify an exact file name like:
script-src cdnjs.cloudflare.com/ajax/libs/jquery/3.5.1/jquery.js;
this will allow the specified script only.
Pls keep in mind that above can be bypassed if you web app (or CDN) allows open redirect, because CSP does not checks pathes in case of redirects. So:
<script src='https://your_domain.com.com/?redirect=https://cdnjs.cloudflare.com/ajax/libs/vue/1.0.4/vue.js'>
will allow to load vue.js script.
Related
My asp.net project is working fine at our QA machine and deployed at customer end. But when the browse URL, website is not properly displaying. Some alignment issue at customer side any browser. When I clicked F12,It shows error as "Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-yP/phO6MWRqPDsL5fwP/+7pIbMUdA+zgVlj8/r2BJDo='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback."
It seems server side "Content Security Policy" is missing??
Can any one guide me in above issue what need to be done at server side to fix the above issue as it is working fine in our environments like DEV, QA environments.
Thanks in advance
There is a Content Security Policy set on the customer system. This could be a default policy added or an intentional restriction by the customer. You will first need to find where the policy is added and then either remove or modify it or alternatively change your code.
Based on the error messages you'll need to rewrite inline script and inline style into separate files or add "script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'. Note that allowing 'unsafe-inline' is not desired, so your preferred option should be change your code. Noting that violations arise from jquery.min.js it might help to upgrade jquery if the version used is old.
So I'm trying to avoid using (another) page rule to disable Rocketloader for one of my subdomains, since we can't use a RegEx to select multiple specific subdomains under a single page rule, and only get 3 page rules for free accounts.
According to this page:
https://support.cloudflare.com/hc/en-us/articles/216537517-Using-Content-Security-Policy-CSP-with-Cloudflare
I can just add a header to the domain to allow scripts from CloudFlare:
add_header Content-Security-Policy "script-src 'self' ajax.cloudflare.com;";
I did so in the Nginx config for that subdomain (it's a Chronograph container actually), restarted Nginx, tested to make sure it "took", which it did:
But then when I try to load the domain, it won't load, and the inspector shows this:
Not being super familiar with this, does anyone know where I screwed it up?
where I screwed it up?
First of all, here:
I can just add a header to the domain to allow scripts from CloudFlare:
add_header Content-Security-Policy "script-src 'self' ajax.cloudflare.com;";
I did so in the Nginx config
And secondly, you trusted the report-uri service, but it failed you.
You have had an issue with ajax.cloudflare.com BEFORE adding CSP header into Nginx config (otherwise, why add it). This means that you already have a CSP published via an HTTP header or a meta tag <meta http-equiv= 'Content-Security-Policy'>.
By adding the CSP header to the Nginx configuration, you have added a second policy to the pages.
Multiple CSPs work as sequential filters - all sources must pass through both CSPs to be resolved. The second CSP allows ajax.cloudflare.com host-source, but the first one still prohibits it (that you are observe in the inspector).
You have to figure out where the first CSP is published and to add ajax.cloudflare.com into it, instead of publish second CSP.
No one know what is under the hood of the report-uri and how it will react if two CSP HTTP headers or an HTTP header paired with a meta tag are published simultaneously
Have a look which CSP and how many of them the browser actually gets, the guide is here.
In case of 2 CSP headers you will see something like that:
In case of CSP meta tag you can easily check the by inspecting the HTML code.
I think the report-uri just did not expect such a situation.
Our website is designed based on WordPress tool and published on Azure web service. Our goal is to use google analytic for checking traffic. Due to this fact, the google analysis tag was added in the header part of our page which causes the following error:
Refused to load the script 'https://www.googletagmanager.com/gtag/js?id=??' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'unsafe-inline' *.msecnd.net *.google.com *.gstatic.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
I understand that violation of the Content Security Policy is the main problem. Therefore, I added meta in the header (Content-Security-Policy:
script-src 'unsafe-inline') but the issue did not disappear. I will appreciate any help.
Since you have got a Content Security Policy (CSP) violation, you already have a first CSP published at the page.
Adding a second CSP via meta tag (or even via second HTTP header) will not solve a problem, because all sources should pass through both CSPs to be allowed.
Therefore you have to add blocked source (https://www.googletagmanager.com) in first CSP into script-src 'self' 'unsafe-eval' 'unsafe-inline' *.msecnd.net *.google.com *.gstatic.com;.
Check if your WP has some installed plugins to manage CSP, or CSP is published in the .htaccess file.
Since you have 'unsafe-eval' 'unsafe-inline' in the script-src, you should not have problems with Google Tag Manager (GTM).
Anyway you can check CSP for your GTM-XXXXXX ID - which additional scripts are loaded by GTM and which tokens are required in you specific case.
I have a Jira instance running under nginx and we have some CSPs configured in nginx.
Now we are installing an app that generates links that trigger a browser extension, the URLs start with goedit:
The vendor of the app suggests this CSP header:
add_header Content-Security-Policy
default-src https: goedit: wss: 'unsafe-inline' 'unsafe-eval';
img-src https: data: 'unsafe-inline'" always;
I am now trying to incorporate this into our CSP header.
Our CSP Header includes
frame-src '' https://assets.zendesk.com https://www.facebook.com https://$server_name;
When I now click on one of the Links for that app I get this error message in the console:
Refused to frame '' because it violates the following Content Security Policy
directive: "frame-src https://assets.zendesk.com https://www.facebook.com https://my-server.dein-james.de".
I am wondering: What do I need to put into the frame-src to allow this kind of link ('')?
I'd rather not drop the whole frame-src part, I want to keep those whitelisted.
thanks in advance
Jens
I know this is quite an old thread now but I came across a similar issue today. With mine I was using data: in the object-src and I had to ensure data: was then in the frame-src.
Therefore I would check that in frame-src you include any schema's, I suspect it might be the goedit: or wss: in your example?
Though this is old, I found that:
Stefan's solution works.
I had a situation where dynamic iframes (meaning, an iframe added dynamically) were attempting to load a pdf for nice display (in chrome), and though the scp contained "self" for frame-src, and the pdf was from the current domain, some users couldn't see the content, their consoles showed the above error. After messing around, found that simply there is a setting to tweak in the chrome browser - go into the settings, search "pdf" and find the section where you can toggle for pdf the setting that makes pdf's download automatically, vs display in the browser.
Is there a way to define a content-security-policy header specifying it should trust inline scripts/styles created from a source domain that is already whitelisted?
For instance I have the following header:
Content-Security-Policy: script-src https://www.somesite.com
From this site I load https://www.somesite.com/somescript.js which in turn dynamically creates inline styles and scripts without needing a hash or nonce.
Is this possible?