I'm building an app with cordova/vuetify/firebase right now and my content security policy is giving me some trouble.
Anytime I try to create a new user I see this error:
Refused to connect to 'https://www.googleapis.com/identitytoolkit/v3/relyingparty/signupNewUser?key=...' because it violates the following Content Security Policy directive: "connect-src 'self' ws:".
Here's my current CSP
<meta http-equiv=Content-Security-Policy content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *; img-src 'self' data: content:; connect-src 'self' ws:;">
Thanks for any help!
You keep your links after connect-src 'self'
https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *; img-src 'self' data: content:; connect-src 'self' ______________ ws:;">
Related
I am receiving the error as shown below when inserting the utteranc.es commenting system into my site. How can I solve this issue?
enter image description here
and below is next.config.js
// https://nextjs.org/docs/advanced-features/security-headers
const ContentSecurityPolicy = `
default-src 'self';
script-src 'self' 'unsafe-eval' 'unsafe-inline' *.youtube.com *.twitter.com utteranc.es;
child-src *.youtube.com *.google.com *.twitter.com utteranc.es;
frame-src utteranc.es;
style-src 'self' 'unsafe-inline' *.googleapis.com;
img-src * blob: data:;
media-src 'none';
connect-src *;
font-src 'self';
`;
I'm trying to embed a URL from a server we control onto a Google Site using a Full Page Embed, but I keep getting the error:
"Can't embed due to provider site permissions. URL will display as a text link."
I figured it was simply a matter of fixing the Content-Security-Policy in Apache, but clearly either I'm doing something wrong with that header or there's something else missing.
I tried the following:
Content-Security-Policy: frame-ancestors 'self' https://*.google.com https://google.com;
Content-Security-Policy: frame-ancestors 'self' *;
Content-Security-Policy: default-src * data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval' 'unsafe-dynamic'; script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src * data: blob: ; style-src * data: blob: 'unsafe-inline'; font-src * data: blob: 'unsafe-inline'; frame-ancestors * data: blob: 'unsafe-inline';
Any assistance would be appreciated.
One fairly insecure way to do this is actually to just disable all of the default security headings:
Header unset X-Frame-Options
Header unset Content-Security-Policy
Set the Content-Security-Policy to:
frame-src 'self'; frame-ancestors 'self' sites.google.com www.gstatic.com *.googleusercontent.com; object-src 'none';
And the X-Frame-Options to:
ALLOW-FROM https://sites.google.com/
i am new using NGINX with Magento 2 and have some problems with the CSP Headers. Hope i may find help here. In the past i used Apache and CentOS but i will run the webserver on NGINX to the future.
First of all, i am running NGINX with MariaDB and PHP 7.4 on Ubuntu 20.04. My Magento 2 running on 2.4.3-p1. The site is loading normally. But in the console i find this entries for CSP Warnings:
Content Security Policy: This website has a report-only rule without a report URI. CSP will not block anything and will not be able to report any violations of this rule.
Content Security Policy: https: // unsafe-inline is interpreted as a host name, not as a keyword. If this is a keyword, use 'unsafe-inline' (enclosed in single quotes).
I have the following headers included in my sites-config:
add_header X-Processing-Time $request_time always;
add_header X-Request-ID $request_id always;
add_header X-UA-Compatible "IE=Edge,chrome=1";
add_header Referrer-Policy "no-referrer" always;
add_header Referrer-Policy "no-referrer no-referrer-when-downgrade strict-origin strict-origin-when-cross-origin same-origin";
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload";
add_header X-Robots-Tag none;
add_header X-Frame-Options SAMEORIGIN always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Content-Security-Policy "default-src 'self' https://google.com https://youtube.com https://facebook.com https://fonts.google.com https://fonts.googleapis.com https://ajax.googleapis.com https://www.google-analytics.com https://cdnjs.cloudflare.com https://code.jquery.com https://connect.facebook.net; img-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; font-src 'self'; object-src 'self'; report-uri /csp-report; media-src 'self'; form-action 'self'; frame-ancestors 'self';" always;
I have made a research for this but cannot find anything to resolve this.
What is wrong? How to fix this issue?
If you need more information i could paste it here - jusk ask.
Could someone help me to solve this? i am very happy for every solution.
Thank you.
~Beendeluxe
Update:
I am totally confused... I re-set everything and its still the same warnings i mentioned above. I dont know how to fix it...
here is my header:
Server nginx
Date Sat, 18 Dec 2021 13:26:32 GMT
Content-Type text/html; charset=UTF-8
Transfer-Encoding chunked
Connection keep-alive
Vary Accept-Encoding
Set-Cookie PHPSESSID=d63jrgjpfk9gqld170in5japk0; expires=Sat, 18-Dec-2021 14:26:32 GMT; Max-Age=3600; path=/; domain=mydomain; secure; HttpOnly; SameSite=Lax
Pragma no-cache
Cache-Control max-age=0, must-revalidate, no-cache, no-store
Expires Fri, 18 Dec 2020 13:10:29 GMT
Content-Security-Policy-Report-Only font-src *.yotpo.com *.googleapis.com *.gstatic.com data: 'self' 'unsafe-inline'; form-action secure.authorize.net test.authorize.net geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com pilot-payflowlink.paypal.com *.amazon.com *.amazon.co.uk *.amazon.co.jp *.amazon.jp *.amazon.it *.amazon.fr *.amazon.es *.amazon.de *.yotpo.com 'self' 'unsafe-inline'; frame-ancestors 'self'; frame-src fast.amc.demdex.net *.adobe.com secure.authorize.net test.authorize.net geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com www.paypal.com www.sandbox.paypal.com pilot-payflowlink.paypal.com player.vimeo.com *.youtube.com https://www.google.com/recaptcha/ *.amazon.com *.amazon.co.uk *.amazon.co.jp *.amazon.jp *.amazon.it *.amazon.fr *.amazon.es *.amazon.de *.payments-amazon.com *.payments-amazon.co.uk *.payments-amazon.co.jp *.payments-amazon.jp *.payments-amazon.it *.payments-amazon.fr *.payments-amazon.es *.payments-amazon.de *.dotdigital-pages.com *.dotdigital.com cdn.dnky.co webchat.dotdigital.com c.paypal.com checkout.paypal.com assets.braintreegateway.com pay.google.com *.cardinalcommerce.com *.yotpo.com 'self' 'unsafe-inline'; img-src assets.adobedtm.com amcglobal.sc.omtrdc.net dpm.demdex.net cm.everesttech.net *.adobe.com widgets.magentocommerce.com data: www.googleadservices.com www.google-analytics.com www.paypalobjects.com t.paypal.com *.ftcdn.net *.behance.net www.paypal.com fpdbs.paypal.com fpdbs.sandbox.paypal.com *.vimeocdn.com i.ytimg.com d3sbl0c71oxeok.cloudfront.net dhkkzdfmpzvap.cloudfront.net d2bpzs5y44q6e0.cloudfront.net d37shgu97oizpd.cloudfront.net d1zlqll3enr74n.cloudfront.net d1jynp0fpwn93a.cloudfront.net d2cb3tokgpwh3v.cloudfront.net d1re8bfxx3pw6e.cloudfront.net d35u8xwkxs8vpe.cloudfront.net d13s9xffygp5o.cloudfront.net d388nbw0dwi1jm.cloudfront.net d11p2vtu3dppaw.cloudfront.net d3r89hiip86hka.cloudfront.net dc7snq0c8ipyk.cloudfront.net d5c7kvljggzso.cloudfront.net d2h8yg3ypfzua1.cloudfront.net d1b556x7apj5fb.cloudfront.net draz1ib3z71v2.cloudfront.net dr6hdp4s5yzfc.cloudfront.net d2bomicxw8p7ii.cloudfront.net d3aypcdgvjnnam.cloudfront.net d2a3iuf10348gy.cloudfront.net *.ssl-images-amazon.com *.ssl-images-amazon.co.uk *.ssl-images-amazon.co.jp *.ssl-images-amazon.jp *.ssl-images-amazon.it *.ssl-images-amazon.fr *.ssl-images-amazon.es *.ssl-images-amazon.de *.media-amazon.com *.media-amazon.co.uk *.media-amazon.co.jp *.media-amazon.jp *.media-amazon.it *.media-amazon.fr *.media-amazon.es *.media-amazon.de www.sandbox.paypal.com b.stats.paypal.com dub.stats.paypal.com assets.braintreegateway.com c.paypal.com checkout.paypal.com *.yotpo.com data: 'self' 'unsafe-inline'; script-src assets.adobedtm.com *.adobe.com secure.authorize.net test.authorize.net www.googleadservices.com www.google-analytics.com www.paypalobjects.com js.braintreegateway.com www.paypal.com geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.sandbox.paypal.com t.paypal.com s.ytimg.com www.googleapis.com vimeo.com www.vimeo.com *.vimeocdn.com https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/ *.payments-amazon.com *.payments-amazon.co.uk *.payments-amazon.co.jp *.payments-amazon.jp *.payments-amazon.it *.payments-amazon.fr *.payments-amazon.es *.payments-amazon.de *.trackedlink.net *.trackedweb.net *.dotdigital-pages.com cdn.dnky.co webchat.dotdigital.com assets.braintreegateway.com c.paypal.com pay.google.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.yotpo.com 'self' 'unsafe-inline' 'unsafe-eval'; style-src *.adobe.com cdn.dnky.co webchat.dotdigital.com unsafe-inline *.yotpo.com *.googleapis.com 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; media-src *.adobe.com 'self' 'unsafe-inline'; manifest-src 'self' 'unsafe-inline'; connect-src dpm.demdex.net amcglobal.sc.omtrdc.net www.google-analytics.com geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com www.sandbox.paypal.com www.paypalobjects.com www.paypal.com *.amazon.com *.amazon.co.uk *.amazon.co.jp *.amazon.jp *.amazon.it *.amazon.fr *.amazon.es *.amazon.de *.amazonpay.com *.amazonpay.co.uk *.amazonpay.co.jp *.amazonpay.jp *.amazonpay.it *.amazonpay.fr *.amazonpay.es *.amazonpay.de mws.amazonservices.com mws.amazonservices.co.uk mws.amazonservices.co.jp mws.amazonservices.jp mws.amazonservices.it mws.amazonservices.fr mws.amazonservices.es mws.amazonservices.de *.trackedlink.net *.trackedweb.net *.dotdigital-pages.com webchat.dotdigital.com api.braintreegateway.com api.sandbox.braintreegateway.com client-analytics.braintreegateway.com client-analytics.sandbox.braintreegateway.com *.braintree-api.com *.yotpo.com 'self' 'unsafe-inline'; child-src assets.braintreegateway.com c.paypal.com http: https: blob: 'self' 'unsafe-inline'; default-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self' 'unsafe-inline';
X-Content-Type-Options nosniff
X-XSS-Protection 1; mode=block
X-Frame-Options SAMEORIGIN
Strict-Transport-Security max-age=31536000
Content-Encoding
I really dont understand why the both warnings mentioned above are showing up. If i change the line:
add_header Content-Security-Policy "default-src 'self'....
in my nginx sites config
and change to 'self' than all rexternal rules are blocked. If i add i. e. https://www.google.com than google will be accepted too.
Do i need to paste all add_header into a oneliner? So all these headers:
add_header X-Processing-Time $request_time always;
add_header X-Request-ID $request_id always;
add_header X-UA-Compatible "IE=Edge,chrome=1";
add_header Referrer-Policy "no-referrer" always;
add_header Referrer-Policy "no-referrer no-referrer-when-downgrade strict-origin strict-origin-when-cross-origin same-origin";
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload";
add_header X-Robots-Tag none;
add_header X-Frame-Options SAMEORIGIN always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Content-Security-Policy "default-src 'self' https://google.com https://youtube.com https://facebook.com https://fonts.google.com https://fonts.googleapis.com https://ajax.googleapis.com https://www.google-analytics.com https://cdnjs.cloudflare.com https://code.jquery.com https://connect.facebook.net; img-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; font-src 'self'; object-src 'self'; report-uri /csp-report; media-src 'self'; form-action 'self'; frame-ancestors 'self';" always;
may comes into one line only? Could also cause the .htaccess in web folders cause some header errors? i dont changed anything but by default there are some htaccess files in /var/www/mydomain/ folders.
I hope that there is someone who can guide me to fix my issue. I am really happy if someone can help.
Thank you.
The browser says you are setting Content-Security-Policy-Report-Only which only makes fully sense when reportTo or report-uri is defined. For development purposes it does make sense though as all violations will surface at once and not be blocked by the first violation. As CSPRO is not in your header definition you should check if it is present in response headers and controlled elsewhere.
Again check your response headers to check what values are being sent. You should also check if CSP is set in a meta tag.
When I add this code in my .htaccess file. All my headers are secured but then my images are not working. After removing this code Images working perfectly.
Is there any suggestion for me to secure my WordPress website HTTP Headers?
<ifModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options DENY
Header set Referrer-Policy: no-referrer-when-downgrade
Header set Content-Security-Policy default-src 'self'; script-src 'unsafe-inline' 'unsafe-eval' http:; style-src 'unsafe-inline' http:; img-src http: data:; font-src http: data:; sandbox allow-forms allow-scripts
Header set Permissions-Policy 'self'
</ifModule>
Could you please try the following? I have removed the img-src http: data:;
<ifModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options DENY
Header set Referrer-Policy: no-referrer-when-downgrade
Header set Content-Security-Policy default-src 'self'; script-src 'unsafe-inline' 'unsafe-eval' http:; style-src 'unsafe-inline' http:; font-src http: data:; sandbox allow-forms allow-scripts
Header set Permissions-Policy 'self'
</ifModule>
Below there's my configuration, and even if it seems appropriately configurated for ttf fonts, it doesn't get served (file here, from fullcalendar)
[...]
http {
[...]
include /etc/nginx/mime.types;
types {
application/x-font-ttf ttf;
font/ttf ttf;
font/otf otf;
font/woff woff;
font/woff2 woff2;
application/vnd.ms-fontobject eot;
}
[...]
}
server {
proxy_set_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com https://ajax.googleapis.com https://use.fontawesome.com; frame-src 'self'; img-src 'self' https://via.placeholder.com data: ; style-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com https://use.fontawesome.com data: ; font-src 'self' https://themes.googleusercontent.com https://maxcdn.bootstrapcdn.com https://use.fontawesome.com data: ; form-action 'self'; upgrade-insecure-requests 'always'; object-src 'none'";
}
[...]