Reputation: 1460
External links doesn't work when running CSP
I meet a surprising problem. If i don't enable my CSP config, no problem, everything works fine. But when I activate CSP, internal links work normally, but external not. On my website, (for example here, https://www.matosmaison.fr/avis/perceuses-visseuses/ryobi-rpd1200k) I have links to amazon, zanox and other similar. These links doesn't work when using CSP.
What is for you my mistake in this config ?
"csp": {
"defaultSrc": [
"'self'",
"www.matosmaison.fr",
"cdn.matosmaison.fr",
"www.google-analytics.com",
"images-na.ssl-images-amazon.com",
"youtube.com",
"www.youtube.com",
"googleads.g.doubleclick.net"
],
"scriptSrc": [
"'self'",
"www.matosmaison.fr",
"cdn.matosmaison.fr",
"www.google-analytics.com",
"images-na.ssl-images-amazon.com",
"youtube.com",
"www.youtube.com",
"googleads.g.doubleclick.net"
],
"styleSrc": [
"'self'",
"www.matosmaison.fr",
"cdn.matosmaison.fr",
"www.google-analytics.com",
"images-na.ssl-images-amazon.com",
"youtube.com",
"www.youtube.com",
"googleads.g.doubleclick.net",
"'unsafe-inline'"
],
"fontSrc": [
"'self'",
"www.matosmaison.fr",
"cdn.matosmaison.fr",
"www.google-analytics.com",
"images-na.ssl-images-amazon.com",
"youtube.com",
"www.youtube.com",
"googleads.g.doubleclick.net",
"'unsafe-inline'"
],
"imgSrc": [
"'self'",
"www.matosmaison.fr",
"cdn.matosmaison.fr",
"www.google-analytics.com",
"images-na.ssl-images-amazon.com",
"youtube.com",
"www.youtube.com",
"googleads.g.doubleclick.net",
"data:"
],
"sandbox": ["allow-forms", "allow-scripts", "allow-same-origin", "allow-top-navigation"],
"reportUri": "/report-violation",
"objectSrc": []
}
I have tried with adding amazon, zanox and the others but no changes, it doesn't work.
Thanks in advance !
Upvotes: 0
Views: 1569
Answers (1)
Reputation: 1460
Ok, I have found the solution. Openning a new "_blank" tab is considered as opening a popup. So in sandbox mode, you can have this message
Blocked opening '[your link]' in a new window because the request was made in a sandboxed frame whose 'allow-popups' permission is not set.
You can reproduce with the simple JS command :
window.open('[your link]', '_blank')
To fix it, you need to add this part :
"sandbox": ["allow-popups"]
or to complete the sandbox part with the value "allow-popups".
Upvotes: 3
Related Questions
- Chrome ignoring CSP (Content Security Policy) affecting Browser Link on ASP.NET application using .NET Core
- Content Security Policy: resource blocked but CSP is configured to allow it
- Safari seems to not support CSP nonces on link tags being used to preload JS
- Content Security Policy is Blocking URI in Allowed Domain
- Whats wrong with my CSP? Content Security Policy (CSP) implemented unsafely
- CSP Configuration not allowing for proper loading of assets
- Content-Security-Policy problem with bootstrap 4
- CSP and inline scripts getting blocked
- CSP: frame-src violation with empty blocked-uri
- Content security policy not working