content-security-policy

问题 I don't know where to apply the Content Security Policy (CSP) snippet below in my code; Content-Security-Policy: script-src 'self' https://apis.google.com Should it be in the HTML? Will it be best implemented in JavaScript as in the code snippet below? var policy = "default-src 'self'"; http.createServer(function (req, res) { res.writeHead(200, { 'Content-Security-Policy': policy }); }); 回答1: You just need to set it in the HTTP Header, not the HTML. This is a working example with express 4

问题 I'm trying to set up Google Analytics on my website. Although I'm having problems with the content security policy. I get the following console error when I load my page: Refused to load the script 'https://www.google-analytics.com/analytics.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com". What is the correct way to load the 'https://www.google-analytics.com/analytics.js' script onto my

问题 We use the following CSP header: default-src 'self' *.ourdomain.com; script-src 'self' *.ourdomain.com 'sha256-[...]' 'unsafe-eval'; connect-src 'self' *.ourdomain.com; style-src 'unsafe-inline' * 'self' data:; font-src *; img-src * 'self' data: The recommendation by our security team is not use unsafe-eval. My question is: as long as we are using sha256-[...] to restrict any script that we haven't deployed ourselves, what is the security risk of still keeping unsafe-eval in the CSP header?

问题 We use the following CSP header: default-src 'self' *.ourdomain.com; script-src 'self' *.ourdomain.com 'sha256-[...]' 'unsafe-eval'; connect-src 'self' *.ourdomain.com; style-src 'unsafe-inline' * 'self' data:; font-src *; img-src * 'self' data: The recommendation by our security team is not use unsafe-eval. My question is: as long as we are using sha256-[...] to restrict any script that we haven't deployed ourselves, what is the security risk of still keeping unsafe-eval in the CSP header?

问题 I'm using Apache 2.4 and I'm trying to implement Content Security Policy. I have set the following header in my httpd.conf Header set Content-Security-Policy "default 'none'; script-src 'self'" Now, I have inline javascript code using script tag inside html, as <script>alert('Do something here')</script> Note that script tag contains meaningful JS code, not this alert stuff I have put for sample purposes. Now, Content Security Policy blocks such inline scripts. One way to whitelist these is

问题 I am developing a salesforce app which is rendered inside an iframe in salesforce page. Using node express server to render this page. As part of security review, i want to render only in salesforce page and block if embedded anywhere else. For that, i have added content-security-policy header as below: response.header("Content-Security-Policy", "frame-ancestors salesforce.com"); But it is blocked on salesforce page too. Error : Refused to display 'https://localhost:8000/authenticate' in a

问题 In light of this link , it would seem inline scripts such as are used for inserting a recaptcha object in the page, via <script type="text/javascript" src="http://www.google.com/recaptcha/api/challenge?k=your_public_key"> </script> <noscript> <iframe src="http://www.google.com/recaptcha/api/noscript?k=your_public_key" height="300" width="500" frameborder="0"></iframe><br> <textarea name="recaptcha_challenge_field" rows="3" cols="40"> </textarea> <input type="hidden" name="recaptcha_response

问题 Please I need assistance here. I have a form to submit to another url but when I try to submit it, it refuses to submit and checking my console. On Chrome, I see the following errors resources2.aspx?HCCID=75694719&culture=en-US&mlcv=3006&template=5:7 Refused to load the image 'https://s4.mylivechat.com/livechat2/images/sprite.png' because it violates the following Content Security Policy directive: "img-src 'self' data:". Refused to send form data to 'https://cipg.stanbicibtcbank.com

问题 I'm having to add CSP to a page that has inline styles, and to avoid using unsafe-inline I'm using hashes. My technique for adding the hashes is just to load the page in Chrome, see the error messages and copy all the suggested hashes (eg take <suggested hash> from Refused to apply inline style because it violates the following Content Security Policy directive: "style-src ...". Either the 'unsafe-inline' keyword, a hash ('<suggested hash>'), or... is required to enable inline execution. ).

问题 Is it possible to detect a Content Security Policy violation with javascript? My CSP works and sends its reports, where I see that some urls are injected, probably by browser addons. I would like to display a hint to the user, that some addon tries to modify the page. Can I somehow detect the aborted connection with javascript (which is itself whitelisted in the CSP of course)? 回答1: According to the W3C CSP specification, a violation triggers a securitypolicyviolation event. You can add an