Welcome Guest, Not a member yet? Register   Sign In
problem with ContentSecurityPolicy
#1

(This post was last modified: 10-27-2021, 12:31 PM by Secux.)

enabled 'public $ CSPEnabled = true;' and trying to adjust ContentSecurityPolicy.php ,but it doesn't work,
I tried all possible options:
https://website.com
https://*.website.com
*.website.com
https://website.com/
https://*.website.com/
*.website.com/


I don't even want to talk about subdomain ...

I'm asking for help

error:
Code:
[Error] Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. (profiles, line 36)
[Error] Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. (profiles, line 336)
[Error] Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. (profiles, line 477)
[Error] Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. (profiles, line 615)
[Error] Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. (profiles, line 652)
[Error] Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. (profiles, line 689)

PHP Code:
<?php

namespace Config;

use 
CodeIgniter\Config\BaseConfig;

/**
 * Stores the default settings for the ContentSecurityPolicy, if you
 * choose to use it. The values here will be read in and set as defaults
 * for the site. If needed, they can be overridden on a page-by-page basis.
 *
 * Suggested reference for explanations:
 *
 * @see https://www.html5rocks.com/en/tutorials/security/content-security-policy/
 */
class ContentSecurityPolicy extends BaseConfig
{
 
//-------------------------------------------------------------------------
 // Broadbrush CSP management
 //-------------------------------------------------------------------------

 /**
 * Default CSP report context
 *
 * @var boolean
 */
 
public $reportOnly false;

 
/**
 * Specifies a URL where a browser will send reports
 * when a content security policy is violated.
 *
 * @var string|null
 */
 
public $reportURI null;

 
/**
 * Instructs user agents to rewrite URL schemes, changing
 * HTTP to HTTPS. This directive is for websites with
 * large numbers of old URLs that need to be rewritten.
 *
 * @var boolean
 */
 
public $upgradeInsecureRequests false;

 
//-------------------------------------------------------------------------
 // Sources allowed
 // Note: once you set a policy to 'none', it cannot be further restricted
 //-------------------------------------------------------------------------

 /**
 * Will default to self if not overridden
 *
 * @var string|string[]|null
 */
 
public $defaultSrc = ['https://website.com'];

 
/**
 * Lists allowed scripts' URLs.
 *
 * @var string|string[]
 */
 
public $scriptSrc = ['https://website.com'];

 
/**
 * Lists allowed stylesheets' URLs.
 *
 * @var string|string[]
 */
 
public $styleSrc = ['https://*.website.com'];

 
/**
 * Defines the origins from which images can be loaded.
 *
 * @var string|string[]
 */
 
public $imageSrc = ['https://website.com'];

 
/**
 * Restricts the URLs that can appear in a page's `<base>` element.
 *
 * Will default to self if not overridden
 *
 * @var string|string[]|null
 */
 
public $baseURI = ['https://website.com'];

 
/**
 * Lists the URLs for workers and embedded frame contents
 *
 * @var string|string[]
 */
 
public $childSrc = ['https://website.com'];

 
/**
 * Limits the origins that you can connect to (via XHR,
 * WebSockets, and EventSource).
 *
 * @var string|string[]
 */
 
public $connectSrc = ['https://website.com'];

 
/**
 * Specifies the origins that can serve web fonts.
 *
 * @var string|string[]
 */
 
public $fontSrc null;

 
/**
 * Lists valid endpoints for submission from `<form>` tags.
 *
 * @var string|string[]
 */
 
public $formAction = ['https://website.com'];

 
/**
 * Specifies the sources that can embed the current page.
 * This directive applies to `<frame>`, `<iframe>`, `<embed>`,
 * and `<applet>` tags. This directive can't be used in
 * `<meta>` tags and applies only to non-HTML resources.
 *
 * @var string|string[]|null
 */
 
public $frameAncestors null;

 
/**
 * The frame-src directive restricts the URLs which may
 * be loaded into nested browsing contexts.
 *
 * @var array|string|null
 */
 
public $frameSrc null;

 
/**
 * Restricts the origins allowed to deliver video and audio.
 *
 * @var string|string[]|null
 */
 
public $mediaSrc null;

 
/**
 * Allows control over Flash and other plugins.
 *
 * @var string|string[]
 */
 
public $objectSrc = ['https://website.com'];

 
/**
 * @var string|string[]|null
 */
 
public $manifestSrc null;

 
/**
 * Limits the kinds of plugins a page may invoke.
 *
 * @var string|string[]|null
 */
 
public $pluginTypes null;

 
/**
 * List of actions allowed.
 *
 * @var string|string[]|null
 */
 
public $sandbox null;

Reply
#2

(This post was last modified: 10-29-2021, 07:26 AM by donpwinston.)

You need to do the CI equivalent of the following:

Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' https://website.com"

You are apparently using some inline javascript or whatever. I don't know which CI property does that. The above Header command is how you would do it in an Apache httpd.conf file or maybe in .htaccess.
Simpler is always better
Reply




Theme © iAndrew 2016 - Forum software by © MyBB