Css – CSP and inline styles from color picker
I am using CSP on my website to keeps things locked down as much as possible. I have an HTML editor on the website, and I wanted to allow users to choose text colors from a color picker. This involves…
Javascript – CSP does not work as expected (it allows React SPA to load things when is set to 'none')
SPA & Network screenshot I have a React SPA with only one request to my Node.js + express server with header "Content-Security-Policy" set to default-src 'none'. Although it still loads everything. What am I doing wrong? P.S: incognito mode does…
WordPress – cannot retrieve csp-report request body from report-uri
I’ve tried to follow mozilla guide lines for setting up report-uri in CSP-Report-Only mode. My CSP: function add_csp_header() { header("Content-Security-Policy-Report-Only: report-uri ".get_bloginfo('url')."/csp-endpoint; script-src 'self'"); //some more, since only one header is rejected } add_action('send_headers', 'add_csp_header',10); The csp-endpoint file at the…
Magento 2.4.5-p8 with CSP on scripts inserted by Google Tag Manager
We're updating our Magento from 2.4.5-p7 to 2.4.5-p8. As you know, in Magento 2.4.5-p8 the CSP on the checkout page is now restrict mode instead of report-only. We know now that the scripts inserted through our magento's modules/theme must be…
Apache – Missing Headers Security Report .htaccess
I'm trying to adjust the security headers. The server is Apache. the site is based on wordpress. I've already modified this file ten times, I've uploaded it to the server ten times and I still haven't figured out what I'm…
Javascript – Enforcing a web page to be iframed?
I have an HTML page that is designed to be iframed into a different website. With a CSP frame-ancestors directive I can restrict in which pages it is allowed to be iframed. This disallows iframing into the wrong site which…
Jquery – binding elements to pseudo events without using eval
I have a big legacy web app that needs to be made CSP (content security policy) compliant. It is full of inline event handlers, eg onclick="alert('hello')" I am trying to write some js which will scan the page on load…
Reactjs – Create React App content security policy is ignored
I have tried to add Auth0 to my application, which works locally but when I deploy to an S3 bucket I get the following error: "Refused to connect to 'https://dev-.us.auth0.com/oauth/token' because it violates the following Content Security Policy directive: "default-src…
Css – How to apply styles in the React app when using the "style-src 'self' "CSP policy?
I have implemented the CSP policy in my React app: CSP policy: <meta http-equiv="Content-Security-Policy" content="script-src 'self'; style-src 'self';"> It blocked all the @import statements in my React components because, during rendering in React, it took the styles from the bundle.…
Laravel – How to fix login and logout redirect blocked by Chrome CSP?
So I've enabled CSP in my Laravel Website and it runs perfectly fine on localhost. However, the problem occurred when deploying the Website on a Linux server using a domain, it gave me an error. Refused to send form data…