Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums CodeIgniter 4 CodeIgniter 4 Support problem with ContentSecurityPolicy
problem with ContentSecurityPolicy
  • Offline Secux
    Junior Member
  • **
  • Posts: 28
    Threads: 16
    Joined: May 2021
    Reputation: 0
#1
10-27-2021, 12:30 PM
(This post was last modified: 10-27-2021, 12:31 PM by Secux.)

enabled 'public $ CSPEnabled = true;' and trying to adjust ContentSecurityPolicy.php ,but it doesn't work,
I tried all possible options:
https://website.com
https://*.website.com
*.website.com
https://website.com/
https://*.website.com/
*.website.com/

I don't even want to talk about subdomain ...

I'm asking for help

error:
Code:
[Error] Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. (profiles, line 36)
[Error] Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. (profiles, line 336)
[Error] Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. (profiles, line 477)
[Error] Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. (profiles, line 615)
[Error] Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. (profiles, line 652)
[Error] Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. (profiles, line 689)

PHP Code:
<?php

namespace Config;

use CodeIgniter\Config\BaseConfig;

/**
 * Stores the default settings for the ContentSecurityPolicy, if you
 * choose to use it. The values here will be read in and set as defaults
 * for the site. If needed, they can be overridden on a page-by-page basis.
 *
 * Suggested reference for explanations:
 *
 * @see https://www.html5rocks.com/en/tutorials/security/content-security-policy/
 */
class ContentSecurityPolicy extends BaseConfig
{
 //-------------------------------------------------------------------------
 // Broadbrush CSP management
 //-------------------------------------------------------------------------

 /**
 * Default CSP report context
 *
 * @var boolean
 */
 public $reportOnly false;

 /**
 * Specifies a URL where a browser will send reports
 * when a content security policy is violated.
 *
 * @var string|null
 */
 public $reportURI null;

 /**
 * Instructs user agents to rewrite URL schemes, changing
 * HTTP to HTTPS. This directive is for websites with
 * large numbers of old URLs that need to be rewritten.
 *
 * @var boolean
 */
 public $upgradeInsecureRequests false;

 //-------------------------------------------------------------------------
 // Sources allowed
 // Note: once you set a policy to 'none', it cannot be further restricted
 //-------------------------------------------------------------------------

 /**
 * Will default to self if not overridden
 *
 * @var string|string[]|null
 */
 public $defaultSrc = ['https://website.com'];

 /**
 * Lists allowed scripts' URLs.
 *
 * @var string|string[]
 */
 public $scriptSrc = ['https://website.com'];

 /**
 * Lists allowed stylesheets' URLs.
 *
 * @var string|string[]
 */
 public $styleSrc = ['https://*.website.com'];

 /**
 * Defines the origins from which images can be loaded.
 *
 * @var string|string[]
 */
 public $imageSrc = ['https://website.com'];

 /**
 * Restricts the URLs that can appear in a page's `<base>` element.
 *
 * Will default to self if not overridden
 *
 * @var string|string[]|null
 */
 public $baseURI = ['https://website.com'];

 /**
 * Lists the URLs for workers and embedded frame contents
 *
 * @var string|string[]
 */
 public $childSrc = ['https://website.com'];

 /**
 * Limits the origins that you can connect to (via XHR,
 * WebSockets, and EventSource).
 *
 * @var string|string[]
 */
 public $connectSrc = ['https://website.com'];

 /**
 * Specifies the origins that can serve web fonts.
 *
 * @var string|string[]
 */
 public $fontSrc null;

 /**
 * Lists valid endpoints for submission from `<form>` tags.
 *
 * @var string|string[]
 */
 public $formAction = ['https://website.com'];

 /**
 * Specifies the sources that can embed the current page.
 * This directive applies to `<frame>`, `<iframe>`, `<embed>`,
 * and `<applet>` tags. This directive can't be used in
 * `<meta>` tags and applies only to non-HTML resources.
 *
 * @var string|string[]|null
 */
 public $frameAncestors null;

 /**
 * The frame-src directive restricts the URLs which may
 * be loaded into nested browsing contexts.
 *
 * @var array|string|null
 */
 public $frameSrc null;

 /**
 * Restricts the origins allowed to deliver video and audio.
 *
 * @var string|string[]|null
 */
 public $mediaSrc null;

 /**
 * Allows control over Flash and other plugins.
 *
 * @var string|string[]
 */
 public $objectSrc = ['https://website.com'];

 /**
 * @var string|string[]|null
 */
 public $manifestSrc null;

 /**
 * Limits the kinds of plugins a page may invoke.
 *
 * @var string|string[]|null
 */
 public $pluginTypes null;

 /**
 * List of actions allowed.
 *
 * @var string|string[]|null
 */
 public $sandbox null;

Reply


Messages In This Thread
problem with ContentSecurityPolicy - by Secux - 10-27-2021, 12:30 PM



Theme © iAndrew 2016 - Forum software by © MyBB