I want to add an iframe into my html page.
The reason for this is to, hopefully, be able to set values into the "localstorage" for that iframe / sub-domain.
I put the tag for the iframe like so: <iframe src="https://yt.localtest.me"></iframe>.
Then I add the following inside the head of the page: <meta http-equiv="Content-Security-Policy" content="frame-src 'self' *.localtest.me"> + I have tried many other variations of this.
The "Web developer tools" only gives me the following information: Content Security Policy: The page’s settings blocked the loading of a resource at https://yt.localtest.me/ (“frame-src”)..
There are never any requests going to this sub-domain as far as I can see. But in I have removed the "x-frame-options" returned by Nginx which was set to "Deny".
Why am I seeing this error, and how can I fix it?
Btw, I am seeing this on both Firefox and Chrome.
Response headers for the containg page is:
HTTP/2 200 OK content-type: text/html; charset=utf-8 date: Thu, 05 Jan 2023 12:55:59 GMT server: Kestrel x-frame-options: DENY x-xss-protection: 1; mode=block x-content-type-options: nosniff strict-transport-security: max-age=31536000 referrer-policy: strict-origin-when-cross-origin content-security-policy: script-src 'self' https://cdn.jsdelivr.net 'nonce-Hc3huW7RDIa1gqTxo/n05+MhyPwBpRiokpv12+2uNN4='; default-src 'self'; frame-src https://cdn.jsdelivr.net; img-src 'self' https://cdn.jsdelivr.net data:; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; base-uri 'none'; font-src 'self' https://cdn.jsdelivr.net; connect-src 'self' * ws: wss: localhost:* localtest.me:* X-Firefox-Spdy: h2
What happens if you don't add the meta tag with CSP? Do you get the same error message?
I think the most likely explanation is another CSP, likely set in a response header, and that you try to amend this by adding another policy. But another policy can only add restrictions, not loosen any set by another policy. If this is the case, you should change or remove the CSP set in the response hader and remove the meta version if necessary.
Related
Hello everybody thanks for reading.
I have a problem with Ckeditor, Now i use Content-Security-Policy and editor do not show buttons like the image
if i delete this line
Header always set Content-Security-Policy: "style-src 'self' www.site.com; child-src https://www.youtube.com"
work good
now what can i do , do you have a idea? Please help me, thanks a lot.
To publish CSP via the Header always set Content-Security-Policy:... is not good idea.
Such CSP header will be sent with any content: .js, .css, .jpeg and word always means that it will be send not only with pages having '200 OK' status, but for Error / Redirect / Not Modified / etc.
You have no flexibility to manage such header. If your web page will publish own Content-Security-Policy header, for example via PHP header("Content-Security-Policy: default-src 'self';", you will have 2 glued CSP headers with unpredictable consequences.
In your case - you do not need to publish CSP header in the admin panel (where you do use Ckeditor). But due to para 2 of above, you have the CSP header everywhere and have no possibility to switch it off.
Mush better to use some plugins for your CMS for CSP header management. Such plugins smart enough and do not publush CSP in the admin panel and for error/redirect pages.
If you do not use CMS, you can publish CSP, for example via header() PHP function in appropriate index.php (since you use Ahache web server).
PS: If you do use CKeditor in the site (non in the admin) - you need to expand your CSP rules to allow CKeditor scripts and styles.
UPDATE
Judging by the comments, webmasters are having difficulties with CSP for CKEditor, but no one said which version: 4 or 5.
Content Security Policy for Ckeditor-4 if it's loaded from cdn.ckeditor.com CDN:
connect-src https://pdf-converter.cke-cs.com;
form-action 'self';
img-src cdn.ckeditor.com;
script-src 'unsafe-inline' cdn.ckeditor.com;
style-src 'unsafe-inline' cdn.ckeditor.com;
* SKE-4 is incompatible with 'nonce-value' and requires mandatory 'unsafe-inline' because a lot of inline scripts.
Content Security Policy for Ckeditor-5 if it's loaded from cdn.ckeditor.com CDN:
connect-src https://docx-converter.cke-cs.com https://pdf-converter.cke-cs.com;
form-action 'self';
script-src 'unsafe-inline' https://cdn.ckeditor.com/ckeditor5/;
style-src 'unsafe-inline';
* SKE-5 scripts are compatible with 'nonce-value' so you can get rid of 'unsafe-inline' in script-src.
Content Security Policy for Ckeditor-5 if it's loaded from server where site is placed:
connect-src https://docx-converter.cke-cs.com https://pdf-converter.cke-cs.com;
form-action 'self';
script-src 'self' 'unsafe-inline';
style-src 'unsafe-inline';
PS: The connect-src https://docx-converter.cke-cs.com https://pdf-converter.cke-cs.com; is required only if "Export to PDF" and "Export to Word" buttons are used.
if use nonce, I do like this
(function(cke) {
var _owrite = cke.dom.document.prototype.write;
cke.dom.document.prototype.write = function(src) {
src = src.replace(/<script/gmi, '<script nonce="' + nonceValue + '"');
_owrite.apply(this, [src]);
};
})(CKEDITOR);
A simple solution i used in my project after several fail trials to whitelist Ckeditor, is to exclude CSP urls prefixes that going to use rich text editor.
In my case it was the product admin page.
Firefox 68 is refusing to load scripts if strict-dynamic is set. Removing it fixes the problem but I'm trying to figure out why strict-dynamic causes Firefox to block the scripts. (There are no errors in Chrome 76 or 77.)
Here is my current CSP:
default-src 'none';
base-uri 'self';
connect-src https://api.[mysite].com;
font-src 'self' https://use.typekit.net;
form-action 'self';
frame-ancestors 'self';
img-src 'self' data:;
manifest-src 'self';
object-src 'none';
script-src 'self' 'unsafe-inline' https: 'sha384-iNlFf0Eg2hINxMB9tToQV4RnxDkAZlsPP94pWd15ctvGZBv9ryRfQqFtFZNM7XiA' 'sha384-ZMP7rVo3mIykV+2+9J3UJ46jBk0WLaUAdn689aCwoqbBJiSnjAK/l8WvCWPIPm49' 'sha384-ZDHQDqvUUYauNA9cFuoaV9L+U+ZtxzdGF70k0b7fDra3FBacCe+Hngtw49T6CJb7' 'sha384-rNVOlvKt+mE/FuEDamC09wqzy3DjyosfTPCDkViitrbSMgS05HdT7pLifJLUpKkN' 'sha384-WCO1dM1VIjdz4wJR0FG7yGtGylSMdwCQDP5MoFjrc/u8970XcFh6zwXdjG76eCDS' 'sha384-+N7evcl7zrc6o9kMNnhuSkeAgOTW8X1IJ9QNoUeFg1Nk2F9iePwtyeN23Xmrfvl8' 'sha384-AQ+OmaAwyCDPM0nqlDUkKMa3qkWQ3oi/reAOFXu3Qpj+8qSrRlqoFd18NNJbOZVT' 'sha384-OAeN05/PeTav9WcYPjJBUnayKJllw2VgLFEpNY5rRWciopAb4v1ERIKclCaF6J/4' 'sha256-kzvsAqTDCfIphFz0XiR4pT52mnhHbvon43SO5jB18dk=' 'sha384-+StHyFUD2Qm2XSU/KU8ItNOwDenBX7rmg1dlwv/d2/UScI4z1E4NleDCQxN5bGFg' 'sha512-4SOBW3M7cPHveemHR+3DE/wa2TMg+IrV5KbofseWTiJdRGhP5fPy9kNGgHMnw3x7KuWuIqeY4O/jFFL8gio9Ag==' 'sha256-1qUviT9v0xAXIG4t/jw+97tZmTnpSdX/kJ2TZBkMBVA=' 'sha384-1oQ+rlRG29IUmyXJ19qy/3JkdRgR+FYDwdljaRj7hFK46jWfXOttNyJ6lgJIiYmx' 'sha512-+t+Sm1j5Sr1ZuxzwvYlZbZw+wODnAGe/YPgZ7BE00ZWwp6Ct5FKWt4EybojdgUxYrzaM20OBZ2I1Uh4U9Vl6WA==' 'strict-dynamic' 'report-sample';
style-src 'self' 'unsafe-inline' https://use.typekit.net/ldr0egh.css https://p.typekit.net 'report-sample';
report-uri https://[mysite].report-uri.com/r/d/csp/reportOnly;
report-to default
I would expect that Firefox would load the scripts since the hashes match. But with strict-dynamic enabled it chokes. Is this a bug in Firefox? Or do I need to be doing my CSP differently?
The errors in Firefox are:
Content Security Policy: The page's settings observed the loading of a resource at https://[mysite]/scripts/js/jquery.min.js ("script-src"). A CSP report is being sent.
Content Security Policy: The page's settings observed the loading of a resource at https://[mysite]/scripts/js/popper.min.js ("script-src"). A CSP report is being sent.
Content Security Policy: The page's settings observed the loading of a resource at https://[mysite]/scripts/js/bootstrap.min.js ("script-src"). A CSP report is being sent.
The hashes for the above resources are (the first three in script-src):
sha384-iNlFf0Eg2hINxMB9tToQV4RnxDkAZlsPP94pWd15ctvGZBv9ryRfQqFtFZNM7XiA
sha384-ZMP7rVo3mIykV+2+9J3UJ46jBk0WLaUAdn689aCwoqbBJiSnjAK/l8WvCWPIPm49
sha384-ZDHQDqvUUYauNA9cFuoaV9L+U+ZtxzdGF70k0b7fDra3FBacCe+Hngtw49T6CJb7
Support for hashes on external scripts was added in CSP Level 3 and is not implemented yet in Firefox.
When executing my asp.net core 2.1 application, I get the following error in the console tab of firefox browser: This is showing as 400 Bad request in the Network tab.
Firefox can’t establish a connection to the server at ws://localhost:58330/sockjs-node/775/15qeeqvw/websocket.
I believe I missing some CSP related entries to my meta tag but not sure which one. Below is my csp meta tag:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' http://localhost:58330/ 'unsafe-eval'; connect-src 'self' 'unsafe-eval'; img-src 'self'; style-src 'self' 'unsafe-inline';">
Can anyone please assist?
Thanks,
Hemant.
i'm working on the following site: www.ekamat.es
When I run the GTMetrix test, it shows an awful result on several things. One of them is the expiration of some of my resources. It shows the following message: (expiration not specified)
Those files are uploaded to Amazon S3, and I've set a Cache-Control near a month (2592000). I can be sure of that, because when I open one of those resources in Chrome and I inspect it with the developer console, it shows the following information:
Age:3146
Cache-Control:2592000
Connection:keep-alive
Date:Wed, 04 May 2016 01:46:04 GMT
ETag:"70e17baac2c3e15e2df0064dd2466d4a"
Server:AmazonS3
Via:1.1 7acf1813f9ec06038d676de15fcfc28f.cloudfront.net (CloudFront)
X-Amz-Cf-Id:c4ERes-XPeGiwTOzMEwqyvNZlPtDih-uV77WCI6Jr0OAWnohkHGW6Q==
X-Cache:Hit from cloudfront
Also, in my .htaccess, I've this:
<IfModule mod_headers.c>
<FilesMatch "\\.(ico|jpeg|jpg|png|gif|swf|css|js)$">
Header set Cache-Control "max-age=604800, public"
Header append Vary: Accept-Encoding
</FilesMatch>
<FilesMatch "\\.(x?html?|php)$">
Header set Cache-Control "max-age=600, private, must-revalidate"
</FilesMatch>
</IfModule>
So, how would you explain that GTMetrix isn't showing the correct info? are they working with an old version of my site, or it's really a mistake or a misconfiguration by me??
Thank you in advance!
This is not valid:
Cache-Control: 2592000
...it should be...
Cache-Control: max-age=2592000
...or...
Cache-Control: public, max-age=2592000
https://www.rfc-editor.org/rfc/rfc7234#section-5.2.2
If that .htaccess file is on S3, you can delete it. S3 doesn't process those. Presumably, though, that's on a different server, in which case you can disregard this paragraph.
After you correct your objects in S3, you need to invalidate * (everything) in CloudFront to purge the CloudFront edge caches of the invalid objects.
I have an mvc website (not web application) and I am trying to enable client caching of pages. I added the following attribute to my action:
[OutputCache(Duration = 60, Location = OutputCacheLocation.Any, VaryByParam = "*")]
When I look at the response, however, I'm seeing the following:
(Status-Line) HTTP/1.1 200 OK
Cache-Control no-cache
Pragma no-cache
Content-Type text/html; charset=utf-8
Content-Encoding gzip
Expires -1
Date Sat, 23 Jul 2011 17:09:45 GMT
Content-Length 9253
Is client-side caching not supported with website projects? If it is, am I missing a configuration setting somewhere? I have tried adding the #outputcache directive instead of the action attribute, but no luck there either.