Content-Security-Policy

  • Resolved Maiskolben

    (@maiskolben)


    5 years, 11 months ago

    Dear Supporters,
    I’m using the <meta> tag for the Content-Security-Policy in my header. It looks like the following:

    <meta http-equiv="Content-Security-Policy" content="
                        default-src 'none';
                        connect-src 'none';
                        img-src 'self' https:;
                        script-src 'self' https:; 
                        style-src 'self';
                        form-action 'self';
                        object-src 'self';
                        font-src 'none'">

    As you can see on the website, the output is not as it should outputted, I guess. So my question is, if there are any other external ressources of the plugin that I don’t know yet? Did I miss something?

    The *.ics is correctly validated.

    hope you got an idea, what I can do, to display it correctly!
    Thanks for your response,

    kind regards,
    M.

    The page I need help with: [log in to see the link]

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author Room 34 Creative Services, LLC

    (@room34)

    5 years, 11 months ago

    The content security policy does appear to be causing the errors; your site is not loading some of the necessary resources for the calendar to work properly. Please check your web browser’s JavaScript console for errors… that should help you to determine the changes that need to be made to the CSP to fix the issue.

    Thread Starter Maiskolben

    (@maiskolben)

    5 years, 11 months ago

    dang, I just figured it out. it’s the directive

    script-src ‘unsafe-inline’ https://source.de
    style-src ‘unsafe-inline’ https://source.de

    and now the plugin displayed the calendar correctly, as you mentioned with using the drop-down-menue.

    Thanks for your quick answer, witch solved the problem! But this makes using CSP nearly obsolete, as you can read under ‘…if you absolutely must use it’-Section from this page..

    I tried sript-src ‘self’ https://source.de, but it doesn’t make a difference. Only the ‘unsafe-inline’ tag had solved the problem and thats not fitting the idea of using CSP as a additional security-layer.

    Do you see the opportunity to implement the ‘nonce-‘ thing in future updates for all the inline scripts and styles, so I can use the script-src ‘nonce-xxxxxxxx’ whitelisting, instead of “switch” off the script filtering completely? That would make your plugin more CSP friendly and could be a great enhancement for the future. Or do you see another way to use fully integrated CSP with your plugin?

    Thanks again!
    kind regards,
    M.

    • This reply was modified 5 years, 11 months ago by Maiskolben.
    • This reply was modified 5 years, 11 months ago by Maiskolben.
    Plugin Author Room 34 Creative Services, LLC

    (@room34)

    5 years, 11 months ago

    This is the first time I’ve confronted this issue, so I haven’t really considered what might need to be done to make this work.

    Would you mind temporarily changing the settings back to the way they were, so I can review the error messages again? I’ll keep an eye out for your response here so I can check it as quickly as possible and you can change it back while I work out a solution.

    Thanks!

    Thread Starter Maiskolben

    (@maiskolben)

    5 years, 11 months ago

    hey Room34,

    surely! I will undo all changes for a while. Are two or three days enough?

    btw: this is new to me, too! I just tried to implement more security to my site and here you might find interesting information to figure out, if I may send you some info:

    Security Scan from Mozilla Observation, General CSP Info, “Why are we not using it” (its pointing to the level#1 Problems).

    Hope you find something useful! :o)

    Thank you very much and
    kind regards,
    M.

    • This reply was modified 5 years, 11 months ago by Maiskolben.
    Plugin Author Room 34 Creative Services, LLC

    (@room34)

    5 years, 11 months ago

    Thanks… I was able to take a look; I just needed to see exactly what the error message was again.

    Safari:

    Refused to apply a stylesheet because its hash, its nonce, or ‘unsafe-inline’ does not appear in the style-src directive of the Content Security Policy.

    Chrome:

    Refused to execute inline script because it violates the following Content Security Policy directive: “script-src ‘self’ [redacted]”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-[redacted]’), or a nonce (‘nonce-…’) is required to enable inline execution.

    Refused to apply inline style because it violates the following Content Security Policy directive: “style-src ‘self’ <URL>”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-[redacted]’), or a nonce (‘nonce-…’) is required to enable inline execution.

    I’m noting these error messages just for my own reference going forward. I’ll look into possible solutions as soon as possible. You can change the CSP back now, if you like, or leave it as is if you have security concerns about temporarily allowing unsafe-inline.

    Thread Starter Maiskolben

    (@maiskolben)

    5 years, 11 months ago

    thank you! M.

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Content-Security-Policy’ is closed to new replies.