CSP setting kills site in Chrome with ERR_HTTP2_PROTOCOL_ERROR - google-chrome

I am adding Security Headers to my website. I am running an Nginx server.
I have used the "Content Security Policy (CSP) Generator" chrome extension to create my CSP settings.
The CSP statement added to nginx ssl.conf are:
add_header Content-Security-Policy "default-src 'self';
script-src 'report-sample' 'self' https://maps.googleapis.com/.../util.js;
style-src 'report-sample' 'self' https://code.jquery.com https://fonts.googleapis.com;
object-src 'none';
base-uri 'self';
connect-src 'self';
font-src 'self' https://fonts.gstatic.com;
frame-src 'self';
img-src 'self' data: https://code.jquery.com https://maps.gstatic.com;
manifest-src 'self';
media-src 'self';
report-uri https://???.endpoint.csper.io/;
worker-src 'none';";
The only browser these settings seems to work in is Firefox.
When I load the site in Chrome (v77.01) the site does not load. It shows the same result in Edge (Version 83.0.478.54), Safari and Opera.
I see the following info:
This site can’t be reached The webpage at https:domain.com might be temporarily down or it may have moved permanently to a new web address. ERR_HTTP2_PROTOCOL_ERROR
The ssl certificate is Lets Encrypt and is set to expire in Sept 2020.
Any advice would be greatly appreciated.
Cheers
Greg J

ok this has been fixed and as usual its really basic, feeling a bit of a douche...
Chrome browser does not like linefeeds in the CSP statement. once I made the statement a single line it worked perfectly.

Related

CSP behavior while sending Different CSP header value in different calls

I want to understand how the CSP will be applied when different REST responses in the page have different header value for CSP. We dont have any meta tag for CSP. CSP is applied only through response headers.
Lets take the scenarios of 3 APIs
GET /api/v1/users - Content-Security-Policy: default-src 'self' google.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' google.com
GET /api/v1/roles - Content-Security-Policy: default-src 'self'; script-src 'self'; img-src 'self'
GET /api/v1/permission - Content-Security-Policy: default-src 'self' google.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' google.com
In this case, what will be the CSP considered by the browser for subsequent requests?
Also, in my understanding, server sets the CSP in the response header to inform browser about what content will be allowed going forward. is that correct?
A CSP determines what resources can be loaded on a page and is only applied on pages that are rendered in the browser, typically with content type "text/html". So there is no benefit in setting it on images, scripts, styles etc.
The CSP that makes sense for an API is frame-ancestors 'none', see https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html#security-headers for an explanation.

CSP Policy: Firefox VS Chrome

I'm trying to do a porting of an Chrome Extension to use it on Firefox.
The extension just display some informations about the Jira ticket in Github website. In Chrome it looks like:
Everything works well after change few things, except loading images from Atlassian (Jira) website.
Due to some CSP block:
Content Security Policy: The page's settings blocked the loading of a resource at https://myproject.atlassian.net/images/icons/statuses/generic.png ("img-src").
What I don't understand, is that Content-Security-Policy: img-src is supported by both Chrome & Firefox since almost 10 years. So why do they act different?
The content-security-policy header contains for img-src:
img-src
'self'
data:
github.githubassets.com
identicons.github.com
github-cloud.s3.amazonaws.com
secured-user-images.githubusercontent.com/
github-production-user-asset-6210df.s3.amazonaws.com
*.githubusercontent.com;
Full policy:
default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com objects-origin.githubusercontent.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimize…ithubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com github-cloud.s3.amazonaws.com secured-user-images.githubusercontent.com/ github-production-user-asset-6210df.s3.amazonaws.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
So I understand why Firefox refuse to load it. But why Chrome do it without any problem?

Content Security Policy violation event is not triggered

I'm trying to setup CSP headers for my application. I have intentionally left out our CDN from font-src
and style-src directives so that violation is triggered. I can see the violations on the Chrome Dev Tools console but the request to the csp-endpoint specified in the header is not triggered. I have tried by setting the report-uri attribute but that didn't help either. I'm testing this on Chrome 84 which is supposed to support report-to directive. Is there anything I'm missing here?
Content-Security-Policy-Report-Only: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' www.googletagmanager.com www.google-analytics.com; style-src 'self' data: 'unsafe-inline' www.tagmanager.google.com www.fonts.googleapis.com fast.fonts.net; img-src 'self' data: www.googletagmanager.com www.google-analytics.com; form-action 'self'; font-src 'self'; connect-src 'self'; report-to csp-endpoint
Report-To: {"endpoints":[{"url":"http://localhost:8080/myapp/csp-violation-report"}],"group":"csp-endpoint","max_age":10886400}
report-to endpoints should have a secure context (actually - https:). Non-secure endpoints will be ignored.
There is some problems with resolving of localhost name, not all user agents treat it as trustworthy. The localhost should conforms to the specific (para 5) name resolution rules (pls see Let 'localhost' be localhost RFC update).
Briefly - try to use https://127.0.0.1:8080/myapp/csp-violation-report. May be a secure https: https://localhost:8080/myapp/csp-violation-report will be enough for Chrome (Chrome 84 supports the report-to directive, but Firefox - does not).

Chrome shows frame-src error even if using object

i have the following Html
<object data="https://mybucket.s3-us-west-2.amazonaws.com/myfile.pdf" class="t-document-view" type="application/pdf"></object>
and the following CSP
"default-src 'none'; script-src 'self' 'nonce-{0}' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; object-src https://*.s3-us-west-2.amazonaws.com; connect-src 'self'; child-src 'self'; report-uri /csp/report;"
On all the machine with chrome browser we can view PDF without issue. However, one of our machine we are getting error
Refused to frame 'https://mybucket.s3-us-west-2.amazonaws.com/'
because it violates the following Content Security Policy directive:
"child-src 'self'". Note that 'frame-src' was not explicitly set, so
'child-src' is used as a fallback.
To get rid of the error i have temporarily added frame-src https://*.s3-us-west-2.amazonaws.com; and its working
I have already set object-src so not sure why its trying to implement frame-src policy when we are not using frame?
Google Chrome is up to date
Version 76.0.3809.132 (Official Build) (64-bit)

Compromised Chrome? Modified Content-Security-Policy

My application is being reverse proxied by Nginx.
I've setup Nginx to add a Content-Security-Policy header to the response. This is working perfectly and I can see the header returned from Chrome as well as CURL from a number of machines.
From a particular machine I'm seeing something very strange. Chrome is showing only a small portion of the Content-Security-Policy header was returned in the response, leaving out a number of key policies. When using a different browser on the same machine the headers are all returned.
Apologies if this is a silly question but could it be that a binary or something else in Chrome has been modified and is modifying the Content-Security-Policy header? I understand how ridiculous that sounds and there could be something I don't understand about CSP.
Could someone help me understand what is happening here?
What most machines are getting:
Content-Security-Policy:default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'self'
What this one particular machine is getting:
Content-Security-Policy:default-src 'self';
Eureka! I have the answer.
It looks like ESET was inspecting and modifying the headers in the request. You can switch this off quite easily.