Amin Shah Gilani
Reputation: 9826
Mozilla Observatory says I don't have a CSP, but I do
the Mozilla Observatory tests my website and says that I do not have a Content Security Policy implemented, but I do.
See here: https://observatory.mozilla.org/analyze.html?host=mailpenny.com
Is there a misconfiguration in this?
My browser gives me CSP errors in development that I had to fix before the site worked, and I can see the following in my Headers when I do a GET / with Postman.
content-security-policy-report-only →default-src ânoneâ; connect-src 'self'; font-src 'self' fonts.gstatic.com; img-src 'self'; script-src 'self'; style-src 'unsafe-inline' 'self' fonts.googleapis.com,; report-uri https://payload.report-uri.io/r/default/csp/reportOnly
Upvotes: 0
Views: 1308
Answers (2)
ZAJDAN
Reputation: 131
I have same problem, in my case I have in apache2 config:
Header set Content-Security-Policy " script-src 'self' https://code.jquery.com http://ajax.googleapis.com 'unsafe-inline' 'unsafe-eval';font-src http://fonts.googleapis.com; "
but Mozilla Observatory says: Content Security Policy (CSP) header cannot be parsed successfully
Upvotes: 1
dontcallmedom
Reputation: 2470
I see two reasons that are likely part of the explanation:
- your CSP header contains invalid characters around "none" (as the value of
default-src) - it's a report-only header, so it doesn't actually protect your site, it only reports things that don't respect the said policy
Upvotes: 2
Related Questions
- Chrome not reporting CSP violations
- Content Security Policy: resource blocked but CSP is configured to allow it
- CSP issue in firefox
- Why does Firefox always give a warning with CSP: default-src 'self'?
- Content-Security-Policy errors in Firefox and Chrome
- What should I do if I get an empty CSP violation?
- Strange CSP error in Firefox
- Content Security Policy failing on line 1 (Firefox 57.0)
- Content security policy not working
- CSP warning firebug