content-security-policy

Content-Security-Policy (CSP): how to allow svg image in object

情到浓时终转凉″ 提交于 2021-02-08 13:07:25
问题 I am using the js plugin that adds inside itself SVG images. I have added CSP policy to my website, but I can't configure it to allow plugin's code. Its code looks like: label=$("<object style='height:10px; width:10px;' type='image/svg+xml' data='data:image/svg+xml;charset=UTF-8," + "<svg xmlns=\"http://www.w3.org/2000/svg\">" + "<rect x=\"0\" y=\"0\" some parameters/>"+ "<text>SomeText</text></svg>'></object>"); el.html(label) I am looking for a configuration that allows SVG image that is

Dynamic CSP (Content Security Policy) connect-src in Angular

让人想犯罪 __ 提交于 2021-02-08 04:51:15
问题 I defined the CSP within meta tags in my Angulars project index.html file <meta http-equiv="Content-Security-Policy" content="default-src 'self'; connect-src 'self' https://baseurl1/ https://baseurl2/ https://baseurl3/; img-src 'self' data: http://baseurl/; frame-src 'self' blob:; media-src 'self' https://baseurl/; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://baseurl/; style-src 'self' 'unsafe-inline';"> My issue is, that I want to whitelist exactly one more connect-src dynamically

Is it possible to edit the custom Content-Security-Policy header set by IIS / web.config?

寵の児 提交于 2021-02-08 04:01:36
问题 I am wondering if it's possible to modify the Content-Security-Policy header that is set under <customHeaders> within web.config . I would like to inject a nonce value if possible. I am currently doing this but I need to remove the header from web.config entirely and add it via Application_BeginRequest() I have poked around global.asax to grab the header. It doesn't seem exist at this point in the pipe line. I can only assume it is injected later on? <customHeaders> <add name="Content

Content Security Policy is Blocking URI in Allowed Domain

删除回忆录丶 提交于 2021-02-08 03:43:15
问题 I have the following content security policy set in my .htaccess file: default-src 'none'; \ form-action 'self'; \ frame-ancestors 'none'; \ font-src 'self' data: fonts.gstatic.com *.fontawesome.com; \ img-src 'self' data: www.google-analytics.com www.facebook.com; \ script-src 'self' 'unsafe-inline' www.google-analytics.com ssl.google-analytics.com www.google.com www.gstatic.com ajax.cloudflare.com www.googletagmanager.com connect.facebook.net *.fontawesome.com; \ style-src 'self' 'unsafe

How can I modify HTTP headers in ASP.NET (Web Forms) that are defined in web.config

孤者浪人 提交于 2021-02-07 14:22:54
问题 I have some custom HTTP response headers defined in an ASP.NET (Web Forms) website's web.config. I'm trying to write a managed HTTP module that can modify these web.config defined headers before they're sent back to the client. Unfortunately, whatever event I use (PreSendRequestHeaders, EndRequest) , the headers defined in web.config do not exist in the Response.Headers collection. I'm aware that PreSendRequestHeaders is not recommended so I also tried using Response.AddOnSendingHeaders but

Customize web form script generation

白昼怎懂夜的黑 提交于 2021-02-05 07:24:05
问题 Ok, yes, it's 2020 but don't laugh. I'm trying update some ASP.NET web forms. My goal is to lock them down, making them more secure by applying a more restrictive Content Security Policy (CSP). To that end, I'm using a nonce, rather than allowing unsafe-inline for scripting. For "simple" web forms, it's working fine. However, I hit a problem whenever there's an asp control that results in a post back. When I look in the page source, I see stuff like this: <script type="text/javascript"> //<!

Angular 7 configure x-frame-options in localhost IIS Express

[亡魂溺海] 提交于 2021-01-29 16:11:12
问题 Angular Version - 7.2 Environment - localhost IDE - Visual Studio Code Browser - Chrome Localhost Web Server - Express I have project built in angular framework and it is running with Express web-server in my localhost . I added the x-frame-options in the web.config but it is not showing up in the webpage response header. I want to test this change in the app running in localhost. Please suggest, how can i view this property in the response headers. Web.config code changes :- <httpProtocol>

Getting content security policy error after deploying react/express app

谁说胖子不能爱 提交于 2021-01-29 11:25:23
问题 I deployed a react/express app to heroku and when going to here I get this error 'Refused to load the image 'https://nameless-sands-37753.herokuapp.com/favicon.ico' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.'. Here's what I tried: Added this to manifest.json: "content_security_policy": "default-src 'self' https://nameless-sands-37753.herokuapp.com/" Added this to

How to allow content security policy to run external javascript from google api?

落爺英雄遲暮 提交于 2021-01-28 06:00:35
问题 This is my current script-src content security policy for my app: script-src 'self' 'unsafe-inline' https://maps.googleapis.com https://maps.gstatic.com; trying to load the following external js code: https://maps.googleapis.com/maps/api/js?key=${GOOGLE_API_KEY}&libraries=places&language=he using unsafe-inline it works, but probably unsafe, so I want to remove it in my code, but then it doesn't allow the script to run. tried to add to script-src a value such as https://maps.googleapis.com/*

Google+ integration chrome extension issue

送分小仙女□ 提交于 2021-01-27 13:54:25
问题 I am trying to integrate google+ API with my google chrome extension. My integration based on this quick start example introduced here: https://developers.google.com/+/quickstart/javascript I have migrated all inline javascript code to separate files, added content_security_policy line in my manifest.json file: "content_security_policy": "script-src 'self' https://www.googleapis.com/ https://plus.google.com/ https://apis.google.com/ https://accounts.google.com/ https://ssl.gstatic.com https:/