i have the following Html
<object data="https://mybucket.s3-us-west-2.amazonaws.com/myfile.pdf" class="t-document-view" type="application/pdf"></object>
and the following CSP
"default-src 'none'; script-src 'self' 'nonce-{0}' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; object-src https://*.s3-us-west-2.amazonaws.com; connect-src 'self'; child-src 'self'; report-uri /csp/report;"
On all the machine with chrome browser we can view PDF without issue. However, one of our machine we are getting error
Refused to frame 'https://mybucket.s3-us-west-2.amazonaws.com/'
because it violates the following Content Security Policy directive:
"child-src 'self'". Note that 'frame-src' was not explicitly set, so
'child-src' is used as a fallback.
To get rid of the error i have temporarily added frame-src https://*.s3-us-west-2.amazonaws.com; and its working
I have already set object-src so not sure why its trying to implement frame-src policy when we are not using frame?
Google Chrome is up to date
Version 76.0.3809.132 (Official Build) (64-bit)
Related
I'm trying to do a porting of an Chrome Extension to use it on Firefox.
The extension just display some informations about the Jira ticket in Github website. In Chrome it looks like:
Everything works well after change few things, except loading images from Atlassian (Jira) website.
Due to some CSP block:
Content Security Policy: The page's settings blocked the loading of a resource at https://myproject.atlassian.net/images/icons/statuses/generic.png ("img-src").
What I don't understand, is that Content-Security-Policy: img-src is supported by both Chrome & Firefox since almost 10 years. So why do they act different?
The content-security-policy header contains for img-src:
img-src
'self'
data:
github.githubassets.com
identicons.github.com
github-cloud.s3.amazonaws.com
secured-user-images.githubusercontent.com/
github-production-user-asset-6210df.s3.amazonaws.com
*.githubusercontent.com;
Full policy:
default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com objects-origin.githubusercontent.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimize…ithubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com github-cloud.s3.amazonaws.com secured-user-images.githubusercontent.com/ github-production-user-asset-6210df.s3.amazonaws.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
So I understand why Firefox refuse to load it. But why Chrome do it without any problem?
I am adding Security Headers to my website. I am running an Nginx server.
I have used the "Content Security Policy (CSP) Generator" chrome extension to create my CSP settings.
The CSP statement added to nginx ssl.conf are:
add_header Content-Security-Policy "default-src 'self';
script-src 'report-sample' 'self' https://maps.googleapis.com/.../util.js;
style-src 'report-sample' 'self' https://code.jquery.com https://fonts.googleapis.com;
object-src 'none';
base-uri 'self';
connect-src 'self';
font-src 'self' https://fonts.gstatic.com;
frame-src 'self';
img-src 'self' data: https://code.jquery.com https://maps.gstatic.com;
manifest-src 'self';
media-src 'self';
report-uri https://???.endpoint.csper.io/;
worker-src 'none';";
The only browser these settings seems to work in is Firefox.
When I load the site in Chrome (v77.01) the site does not load. It shows the same result in Edge (Version 83.0.478.54), Safari and Opera.
I see the following info:
This site can’t be reached The webpage at https:domain.com might be temporarily down or it may have moved permanently to a new web address. ERR_HTTP2_PROTOCOL_ERROR
The ssl certificate is Lets Encrypt and is set to expire in Sept 2020.
Any advice would be greatly appreciated.
Cheers
Greg J
ok this has been fixed and as usual its really basic, feeling a bit of a douche...
Chrome browser does not like linefeeds in the CSP statement. once I made the statement a single line it worked perfectly.
I have the following CSP header:
Content-Security-Policy:default-src 'self'; connect-src 'self' https://*.example.com; script-src 'nonce-OWEwM2Q2YWMtYjc5NS00NmQxLWI3MGItNWRiNGJkOGNlNzZm' 'self' data: https://*.google-analytics.com https://*.facebook.net 'unsafe-eval'; style-src 'self' https://*.fonts.net 'unsafe-inline'; img-src 'self' data: https://media.example.com https://*.google-analytics.com https://*.doubleclick.net https://*.facebook.com http: https:; media-src 'self' data: https://media.example.com
And the following script element:
<script type="text/javascript" nonce="OWEwM2Q2YWMtYjc5NS00NmQxLWI3MGItNWRiNGJkOGNlNzZm">var data="some data";</script>
It works fine in modern browsers, but in version of Chrome <= 40 I see the following error:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'nonce-OWEwM2Q2YWMtYjc5NS00NmQxLWI3MGItNWRiNGJkOGNlNzZm' 'self' data: https://*.google-analytics.com https://*.facebook.net 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
I've done some Googling and haven't found any other relevant references to this error. Anyone know what's going wrong?
My content security policy is the following:
Content-Security-Policy: default-src 'self' https://fonts.googleapis.com https://ajax.googleapis.com; script-src 'self' https://fonts.googleapis.com https://ajax.googleapis.com; style-src 'self' https://fonts.googleapis.com; img-src 'self' ; font-src 'self' https://fonts.googleapis.com; connect-src 'self' https://ajax.googleapis.com; media-src 'self' ; object-src 'self' ; child-src 'self' ; frame-ancestors 'self' ; form-action 'none' ; sandbox allow-same-origin allow-scripts allow-pointer-lock;
You can partially implement it with meta http-equiv, but it does not allow you frame ancestors and sandboxing, from what I understand. You need to send a http header. However, my web host does not allow php commands coming from HTML files and I would like to avoid it anyway.
Long story short, what are my options to implement this policy while using Jekyll as a generator?
To test locally, you can specify custom headers with Jekyll. In your _config.yml add :
# Custom headers
webrick:
headers:
Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';
My-Other-Header: My-Other-Value
source: https://jekyllrb.com/docs/configuration/#custom-webrick-headers
It sounds like you've quasi-answered your own question, but you may not like the answer. Jekyll is simply a static HTML generation tool. It doesn't have the ability to do anything besides generate HTML which includes inline HTML headers.
If you don't have access to the web server (nginx, apache, passenger standalone, etc.) and as such can't write your headers from your server configuration file, then you'll have to find a way to generate the appropriate headers in your Jekyll template.
You should be able to set custom headers by setting the http-equiv properly in your Jekyll layout file (probably _layouts/default.html). Adding the following to this file should help your http-equiv CSP meta tag be included in all HTML pages generated by Jekyll with the default layout:
<meta http-equiv="X-Content-Security-Policy" content="default-src 'self' https://fonts.googleapis.com https://ajax.googleapis.com; script-src 'self' https://fonts.googleapis.com https://ajax.googleapis.com; style-src 'self' https://fonts.googleapis.com; img-src 'self' ; font-src 'self' https://fonts.googleapis.com; connect-src 'self' https://ajax.googleapis.com; media-src 'self' ; object-src 'self' ; child-src 'self' ; frame-ancestors 'self' ; form-action 'none' ; sandbox allow-same-origin allow-scripts allow-pointer-lock;" />
PS - I realize this doesn't address the frame-ancestors piece you mentioned. Unfortunately I don't know the answer to that besides working with your web host provider to see if you can get them to insert your CSP header into your site configuration somehow.
I have the CSP (Content-security-policy) plugin-types policy set to white-list pdf type as below. When trying to open a PDF file in iframe with src attribute, It is working well with browsers IE 11, and Firefox 47+ but failing in Chrome 50+. What else is required to make it working in chrome?
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'self'; style-src 'self'; frame-src 'self' plugin-types application/pdf;
Error in chrome console
Resource interpreted as Document but transferred with MIME type application/pdf
Refused to load 'http://127.0.0.1/module123/open.do?id=10000' (MIME type '') because it violates the following Content Security Policy Directive: 'plugin-types application/pdf'. When enforcing the 'plugin-types' directive, the plugin's media type must be explicitly declared with a 'type' attribute on the containing element (e.g. '<object type="[TYPE GOES HERE]" ...>').
I had a similar problem.
To resolve the problem, I needed to add blob: to the object-src directive.
Also, I did not need to specify plugin-type.
So it would be:
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'self' blob:; style-src 'self'; frame-src 'self';