Hi,
I've just recently started working with the Content-Security-Policy
header for my apache/joomla/fedora35 install on a pretty complex website
and having some problems.
Here is my current CSP header:
"default-src 'self' 'unsafe-inline'; font-src 'self'
fonts.googleapis.com fonts.gstatic.com data:; img-src data: 'self'
*.clarity.ms *.googleusercontent.com www.google-analytics.com
*.google.com google.com; object-src 'none'; style-src 'self'
'unsafe-inline' fonts.googleapis.com; frame-ancestors 'none';
style-src-elem 'self' fonts.googleapis.com; script-src code.jquery.com
*.googlesyndication.com *.facebook.net; script-src-elem 'unsafe-inline'
'self' example.com *.googletagmanager.com; script-src-attr 'self'
'unsafe-inline'; report-uri /csp-hotline.php",
I have the following log entry for my CSP header that shows a javascript
resource from my website was blocked by the style-src-elem directive,
but I've set both the default-src and style-src-elem directives to allow
'unsafe-inline' scripts. Is that not enough?
Also, it appears quite a few directives require common sites like
googleapis and facebook - is there a way to just set them all by
default? Will the default-src directive set the default for all directives?
How do I include inline javascript? Or is this saying it was okay since
it's returning status-code 200?
|"csp-report": { "document-uri":
"https://example.com/features/complete-guide-to-keylogging";, "referrer":
"https://www.google.com/";, "violated-directive": "style-src-elem",
"effective-directive": "style-src-elem", "original-policy": "default-src
'self' 'unsafe-inline'; font-src 'self' fonts.googleapis.com
fonts.gstatic.com data:; img-src data: 'self' *.clarity.ms
*.googleusercontent.com www.google-analytics.com *.google.com
google.com; object-src 'none'; style-src 'self' 'unsafe-inline'
fonts.googleapis.com; frame-ancestors 'none'; style-src-elem 'self'
fonts.googleapis.com; script-src code.jquery.com *.googlesyndication.com
*.facebook.net; script-src-elem 'unsafe-inline' 'self' example.com
*.googletagmanager.com; script-src-attr 'self' 'unsafe-inline';
report-uri /csp-hotline.php", "disposition": "enforce", "blocked-uri":
"inline", "line-number": 2, "column-number": 54854, "source-file":
"https://example.com/media/jui/js/jquery.min.js";, "status-code": 200,
"script-sample": "" } |
Ideas greatly appreciated.
Thanks,
Dave
--
DaveWreski
President & CEO
Guardian Digital, Inc.
We Make Email Safe
640-800-9446 <tel:640-800-9446>
dwre...@guardiandigital.com <mailto:dwre...@guardiandigital.com>
https://guardiandigital.com <https://guardiandigital.com>
103 Godwin Ave, Suite 314, Midland Park, NJ 07432
facebook <https://www.facebook.com/gdlinux>
twitter <https://twitter.com/gdlinux>
linkedin <https://www.linkedin.com/company/guardiandigital>
