I am new to Content Security Policy and am trying to apply a policy like
Google Fonts violates Content Security Policy
to a page referencing a stylesheet from google: https://fonts.googleapis.com/css?family=Raleway:300,400,700
The issue I am running into is that in chrome the developer tools console tells me that the style-src rule is not set and it is defaulting to default-src. In IE I am not getting these warnings.
Here is the console Error:
Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Raleway:300,400,700' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
Here is a capture of my header with fiddler:
Content-Security-Policy: default-src 'self' https:;script-src 'self' 'nonce-Ab4J0bSR7xiEFldCemz9' 'unsafe-eval';object-src 'self';style-src 'self' 'unsafe-inline' 'nonce-zGkHV0PmcLCJKhMH6H8V' https:;font-src 'self' https: data:
Is this a browser problem?
Turns out I had an extra declaration in the custom headers that was conflicting.
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="default-src 'self';" />
</customHeaders>
</httpProtocol>
after removing this, and reverting back to a clear tag the problem went away.
Related
I have the following CSP rule on my server:
connect-src 'self' https://exampleurl.test.pro/
But when a subroute of this url is being called it gets blocked by the CSP rule.
https://exampleurl.test.pro/ppms.php?action_name=example&rec=1&r=018609&h=9&m=21&s=34&url=https%3A%2F%2Fexample.azurewebsites.net%2F&urlref=https%3A%2F%2Flogin.example.com%2F&_id=45a27339c6f79315&_idts=1652252243&_idvc=1&_idn=0&_viewts=1652252243&send_image=1&ts_n=jstc_tm&ts_v=2.6.10&pdf=1&qt=0&realp=0&wma=0&dir=0&fla=0&java=0&gears=0&ag=0&cookie=1&res=2560x1440>_ms=747&pv_id=U3B9Xe
I get the following error:
ppms.js:12 Refused to connect to
'https://exampleurl.test.pro/ppms.php?action_name=example&rec=1&r=018609&h=9&m=21&s=34&url=https%3A%2F%2Fexample.azurewebsites.net%2F&urlref=https%3A%2F%2Flogin.example.com%2F&_id=45a27339c6f79315&_idts=1652252243&_idvc=1&_idn=0&_viewts=1652252243&send_image=1&ts_n=jstc_tm&ts_v=2.6.10&pdf=1&qt=0&realp=0&wma=0&dir=0&fla=0&java=0&gears=0&ag=0&cookie=1&res=2560x1440>_ms=747&pv_id=U3B9Xe'
because it violates the following Content Security Policy directive:
"connect-src 'self' https://exampleurl.test.pro/".
I'm unable to understand the error. please help if anyone facing the same issue and got rid of it.
The Content Security Policy 'font-src 'self' 'unsafe-inline'; form-action geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.authorize.net 'self' 'unsafe-inline'; frame-ancestors 'self' 'unsafe-inline'; frame-src geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.authorize.net www.paypal.com www.sandbox.paypal.com 'self' 'unsafe-inline'; img-src widgets.magentocommerce.com www.googleadservices.com www.google-analytics.com t.paypal.com www.paypal.com www.paypalobjects.com fpdbs.paypal.com fpdbs.sandbox.paypal.com *.vimeocdn.com s.ytimg.com 'self' 'unsafe-inline'; script-src assets.adobedtm.com geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.googleadservices.com www.google-analytics.com secure.authorize.net test.authorize.net www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com video.google.com vimeo.com www.vimeo.com js.authorize.net jstest.authorize.net cdn-scripts.signifyd.com www.youtube.com js.braintreegateway.com 'self' 'unsafe-inline' 'unsafe-eval'; style-src getfirebug.com 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; media-src 'self' 'unsafe-inline'; manifest-src 'self' 'unsafe-inline'; connect-src geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com 'self' 'unsafe-inline'; child-src 'self' 'unsafe-inline'; default-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self' 'unsafe-inline';' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
4(index):1 [Report Only] Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Work+Sans:400,700.less' because it violates the following Content Security Policy directive: "style-src getfirebug.com 'self' 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.
(index):24 GET http://localhost/demo/pub/static/version1588683649/adminhtml/Magento/backend/en_US/mage/requirejs/mixins.js net::ERR_ABORTED 404 (Not Found)
(index):23 GET http://localhost/demo/pub/static/version1588683649/adminhtml/Magento/backend/en_US/requirejs/require.js net::ERR_ABORTED 404 (Not Found)
(index):34 GET http://localhost/demo/pub/static/version1588683649/adminhtml/Magento/backend/en_US/images/magento-icon.svg 404 (Not Found)
(index):24 GET http://localhost/demo/pub/static/version1588683649/adminhtml/Magento/backend/en_US/mage/requirejs/mixins.js net::ERR_ABORTED 404 (Not Found)
requirejs-config.js:18 Uncaught TypeError: require.config is not a function
at requirejs-config.js:18
at requirejs-config.js:19
at requirejs-config.js:643
(anonymous) # requirejs-config.js:18
(anonymous) # requirejs-config.js:19
(anonymous) # requirejs-config.js:643
60[Report Only] Refused to load the font '<URL>' because it violates the following Content Security Policy directive: "font-src 'self' 'unsafe-inline'".
This is because of the new module ( Magento_csp) added in Magento 2.3.5,
As of version 2.3.5, Magento supports CSP headers and provides ways to configure them. (This functionality is defined in the Magento_Csp module.) Magento also provides default configurations at the application level and for individual core modules that require extra configuration. Policies can be configured for adminhtml and storefront areas separately to accommodate different use cases. Magento also permits configuring unique CSPs for specific pages.
CSP can work in two modes:
report-only - In this mode, Magento reports policy violations but does not interfere. This mode isuseful for debugging. By default, CSP violations are written to the browser console, but they can be configured to be reported to an endpoint as an HTTP request to collect logs. There are a number of services that will collect, store, and sort your store’s CSP violations reports for you.
restrict mode - In this mode, Magento acts on any policy violations thus block any URLs those are added in the whitelist. This reduces cross-site scripting, credit card skimmers etc..
See more details here
https://devdocs.magento.com/guides/v2.3/extension-dev-guide/security/content-security-policies.html
CSP is not the reason of the problem. By default CSP works in Report-Only mode. The main reason of endless loading is:
(index):24 GET http://localhost/demo/pub/static/version1588683649/adminhtml/Magento/backend/en_US/mage/requirejs/mixins.js net::ERR_ABORTED 404 (Not Found)
(index):23 GET http://localhost/demo/pub/static/version1588683649/adminhtml/Magento/backend/en_US/requirejs/require.js net::ERR_ABORTED 404 (Not Found)
(index):34 GET http://localhost/demo/pub/static/version1588683649/adminhtml/Magento/backend/en_US/images/magento-icon.svg 404 (Not Found)
(index):24 GET http://localhost/demo/pub/static/version1588683649/adminhtml/Magento/backend/en_US/mage/requirejs/mixins.js net::ERR_ABORTED 404 (Not Found)
Perhaps you didn't clean the cache. Try to switch to developer mode and clean the cache:
$ ./bin/magento deploy:mode:set developer
$ ./bin/magento cache:clean
$ redis-cli FLUSHALL # if you have redis
The problem comes from the new Magento_csp module, one solution that I really find is to deactivate this module and move forward in your project.
bin/magento module:disable Magento_Csp
In my Facebook Instant Game I try to statically load scripts from cloudflare.com such as:
<script src="https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.5.7/es5-shim.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/gsap/1.20.2/TweenMax.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/pixi.js/4.8.5/pixi.min.js"></script>
But getting Chrome browser error:
Refused to load the script 'https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.5.7/es5-shim.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.facebook.com connect.facebook.net cdn.mixpnl.com *.google-analytics.com web.localytics.com *.googletagmanager.com blob: *.cloudfront.net *.amazonaws.com *.googleapis.com *.firebaseapp.com *.firebaseio.com *.8686c.com *.cncovs.com *.aliyun.com *.aliyuncs.com *.wsdvs.com *.console.re *.kunlunar.com *.layabox.com *.windows.net *.msecnd.net *.anysdk.com cdn.trackjs.com cdn.firebase.com *.kochava.com *.akamaized.net *.cocos.com *.hinet.net *.playfab.com code.createjs.com *.zdassets.com websdk.appsflyer.com ". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
Is there a way I can load scripts from cloudflare?
Content Security Policy is one of the ways to mitigate XSS (cross-site scripting) attack on your site/app.
To allow your site/app to load scripts from cdnjs.cloudflare.com, you'll need to add/append the domain in the script-src directive of your Content-Security-Policy HTTP response header.
A few of example implementations:
httpd.conf:
Header set Content-Security-Policy "script-src 'self' ...(snipped)... cdnjs.cloudflare.com;"
nginx.conf:
add_header Content-Security-Policy "script-src 'self' ...(snipped)... cdnjs.cloudflare.com;";
Then make sure to run checkconfig before reload or restart the httpd/nginx service.
I'm trying to create a chrome app which requests access to firebase. I have set my CSP in manifest.json and I'm still getting CSP errors:
"Content_security_policy": "script-src 'self' https://www.gstatic.com/ https://*.firebaseio.com https://www.*.googleapis.com; style-src 'self' https://www.googleapis.com/ https://fonts.googleapis.com/; default-src 'self' https://*.firebaseio.com",
This is the error I keep getting:
firebase.js:375 Refused to load the script
'https://myapp.firebaseio.com/.lp?start=t&ser=30696138&cb=1&v=5'
because it violates the following Content Security Policy directive:
"default-src 'self' blob: filesystem: chrome-extension-resource:".
Note that 'script-src' was not explicitly set, so 'default-src' is
used as a fallback.
Errors:
Refused to load the script 'https://ssl.google-analytics.com/ga.js' because it violates the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
background.html:9 Refused to frame 'https://www.youtube.com/embed/' because it violates the following Content Security Policy directive: "frame-src 'self' data: chrome-extension-resource:".
Solve:
To resolve this issue, I tried adding
"content_security_policy": "script-src 'self' 'unsafe-eval'
https://www.youtube.com/ https://ssl.google-analytics.com/; object-src 'self'"
But then I get the warning:
'content_security_policy' is only allowed for extensions and legacy packaged apps, but this is a packaged app.
What should I do?
You can't load a script directly from the web. All scripts must be inside the Chrome App's folder. This may require you to download the script and place it into a folder that itself is inside the Chrome App folder.