content-security-policy

问题 Is there a secure way of whitelisting dynamically created scripts in a WebForms project using CSP (Content Security Policy)? Using unsafe-inline like below it works but not recommended. context.Response.Headers.Append("Content-Security-Policy", string.Format("default-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self' data: https:; style-src 'self'; script-src 'self' 'unsafe-inline'")); For any other options such as nonce-(random) , we see this CSP error message: Refused to

问题 I am working on a NodeJS Project and I'm using CSP (Content Security Policy). I'm using a external plugin FullCalendar which is being blocked by csp giving the following error: Error: call to Function() blocked by CSP I use script-src 'self' 'unsafe-eval'; to override it but did not work in firefox. In other browser it is working fine. I got stuck on this issue by 4h. It would be helpful to get the solution. I am using the following format in CSP restrictions. X-Content-Security-Policy:

问题 I am working on a NodeJS Project and I'm using CSP (Content Security Policy). I'm using a external plugin FullCalendar which is being blocked by csp giving the following error: Error: call to Function() blocked by CSP I use script-src 'self' 'unsafe-eval'; to override it but did not work in firefox. In other browser it is working fine. I got stuck on this issue by 4h. It would be helpful to get the solution. I am using the following format in CSP restrictions. X-Content-Security-Policy:

问题 I am working on a NodeJS Project and I'm using CSP (Content Security Policy). I'm using a external plugin FullCalendar which is being blocked by csp giving the following error: Error: call to Function() blocked by CSP I use script-src 'self' 'unsafe-eval'; to override it but did not work in firefox. In other browser it is working fine. I got stuck on this issue by 4h. It would be helpful to get the solution. I am using the following format in CSP restrictions. X-Content-Security-Policy:

问题 A sibling department has created an HTML file that is effectively a scaffold for a handful of iframes. The iframes each call a report, which is hosted on a web server, with slightly different parameters. The called report will show a sign-on form to unauthenticated users, or the report contents to already-authenticated users. scaffold.html: <html> <head> <title>I just show the output from a bunch of report calls</title> </head> <body> <iframe src="https://somesite.com/useful_report.html

问题 A sibling department has created an HTML file that is effectively a scaffold for a handful of iframes. The iframes each call a report, which is hosted on a web server, with slightly different parameters. The called report will show a sign-on form to unauthenticated users, or the report contents to already-authenticated users. scaffold.html: <html> <head> <title>I just show the output from a bunch of report calls</title> </head> <body> <iframe src="https://somesite.com/useful_report.html

问题 In order to implement Content-Security-Policy, I need to pass nonce to GTM to allow tags. Using nonce-aware version of GTM snippet works great for all tag types except Custom HTML . Is there a way to pass nonce to Custom HTML and allow custom scripts, without using unsafe-inline ? 回答1: In order to add the nonce attribute to the Custom HTML scripts, it must be first defined as a GTM variable: Add id="gtmScript" to the nonce-aware version of GTM snippet - this will be used to target the element

问题 Firefox 68 is refusing to load scripts if strict-dynamic is set. Removing it fixes the problem but I'm trying to figure out why strict-dynamic causes Firefox to block the scripts. (There are no errors in Chrome 76 or 77.) Here is my current CSP: default-src 'none'; base-uri 'self'; connect-src https://api.[mysite].com; font-src 'self' https://use.typekit.net; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; manifest-src 'self'; object-src 'none'; script-src 'self' 'unsafe

问题 When implementing csp-header, I have specified my policy as: default-src 'self'; script-src www.gstatic.com; Since I have not declared script-src-elem directive in my csp policy, as stated in this mdn documentation, I was expecting policy defined for script-src to be used for script-src-elem directive as well. However, I see violation being reported as "viloated-directive":"script-src-elem" "blocked-uri":"https://www.gstatic.com/blah/blah" . Any idea why this behavior is happening? 回答1: After

问题 Using Vue SPA distributed by Express. this is my helmet code in express app.use(helmet.contentSecurityPolicy({ directives: { defaultSrc: ["'self'"], styleSrc: ["'self'","'unsafe-inline'" ,'unpkg.com', 'cdn.jsdelivr.net', 'fonts.googleapis.com', 'use.fontawesome.com'], scriptSrc: ["'self'","'unsafe-inline'",'js.stripe.com'], frameSrc: ["'self'",'js.stripe.com'], fontSrc:["'self'",'fonts.googleapis.com','fonts.gstatic.com','use.fontawesome.com','cdn. joinhoney.com'] } })); Doing this produces