+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: CodeIgniter 4 (https://forum.codeigniter.com/forumdisplay.php?fid=28)
+--- Forum: CodeIgniter 4 Support (https://forum.codeigniter.com/forumdisplay.php?fid=30)
+--- Thread: problem with ContentSecurityPolicy (/showthread.php?tid=80397)
problem with ContentSecurityPolicy - Secux - 10-27-2021
enabled 'public $ CSPEnabled = true;' and trying to adjust ContentSecurityPolicy.php ,but it doesn't work,
I tried all possible options:
https://website.com
https://*.website.com
*.website.com
https://website.com/
https://*.website.com/
*.website.com/
I don't even want to talk about subdomain ...
I'm asking for help
error:
Code:
[Error] Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. (profiles, line 36)
[Error] Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. (profiles, line 336)
[Error] Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. (profiles, line 477)
[Error] Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. (profiles, line 615)
[Error] Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. (profiles, line 652)
[Error] Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. (profiles, line 689)PHP Code:
<?php
namespace Config;
use CodeIgniter\Config\BaseConfig;
/**
* Stores the default settings for the ContentSecurityPolicy, if you
* choose to use it. The values here will be read in and set as defaults
* for the site. If needed, they can be overridden on a page-by-page basis.
*
* Suggested reference for explanations:
*
* @see https://www.html5rocks.com/en/tutorials/security/content-security-policy/
*/
class ContentSecurityPolicy extends BaseConfig
{
//-------------------------------------------------------------------------
// Broadbrush CSP management
//-------------------------------------------------------------------------
/**
* Default CSP report context
*
* @var boolean
*/
public $reportOnly = false;
/**
* Specifies a URL where a browser will send reports
* when a content security policy is violated.
*
* @var string|null
*/
public $reportURI = null;
/**
* Instructs user agents to rewrite URL schemes, changing
* HTTP to HTTPS. This directive is for websites with
* large numbers of old URLs that need to be rewritten.
*
* @var boolean
*/
public $upgradeInsecureRequests = false;
//-------------------------------------------------------------------------
// Sources allowed
// Note: once you set a policy to 'none', it cannot be further restricted
//-------------------------------------------------------------------------
/**
* Will default to self if not overridden
*
* @var string|string[]|null
*/
public $defaultSrc = ['https://website.com'];
/**
* Lists allowed scripts' URLs.
*
* @var string|string[]
*/
public $scriptSrc = ['https://website.com'];
/**
* Lists allowed stylesheets' URLs.
*
* @var string|string[]
*/
public $styleSrc = ['https://*.website.com'];
/**
* Defines the origins from which images can be loaded.
*
* @var string|string[]
*/
public $imageSrc = ['https://website.com'];
/**
* Restricts the URLs that can appear in a page's `<base>` element.
*
* Will default to self if not overridden
*
* @var string|string[]|null
*/
public $baseURI = ['https://website.com'];
/**
* Lists the URLs for workers and embedded frame contents
*
* @var string|string[]
*/
public $childSrc = ['https://website.com'];
/**
* Limits the origins that you can connect to (via XHR,
* WebSockets, and EventSource).
*
* @var string|string[]
*/
public $connectSrc = ['https://website.com'];
/**
* Specifies the origins that can serve web fonts.
*
* @var string|string[]
*/
public $fontSrc = null;
/**
* Lists valid endpoints for submission from `<form>` tags.
*
* @var string|string[]
*/
public $formAction = ['https://website.com'];
/**
* Specifies the sources that can embed the current page.
* This directive applies to `<frame>`, `<iframe>`, `<embed>`,
* and `<applet>` tags. This directive can't be used in
* `<meta>` tags and applies only to non-HTML resources.
*
* @var string|string[]|null
*/
public $frameAncestors = null;
/**
* The frame-src directive restricts the URLs which may
* be loaded into nested browsing contexts.
*
* @var array|string|null
*/
public $frameSrc = null;
/**
* Restricts the origins allowed to deliver video and audio.
*
* @var string|string[]|null
*/
public $mediaSrc = null;
/**
* Allows control over Flash and other plugins.
*
* @var string|string[]
*/
public $objectSrc = ['https://website.com'];
/**
* @var string|string[]|null
*/
public $manifestSrc = null;
/**
* Limits the kinds of plugins a page may invoke.
*
* @var string|string[]|null
*/
public $pluginTypes = null;
/**
* List of actions allowed.
*
* @var string|string[]|null
*/
public $sandbox = null;
}
RE: problem with ContentSecurityPolicy - donpwinston - 10-29-2021
You need to do the CI equivalent of the following:
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' https://website.com"
You are apparently using some inline javascript or whatever. I don't know which CI property does that. The above Header command is how you would do it in an Apache httpd.conf file or maybe in .htaccess.