CODEWITHSUNDEEP
javascriptsecurityhttp-headerscontent-security-policy
Dr. Vick
Dr. Vick

Reputation: 195

CSP settings for Quantcast

I am integrating in my website the Quantcast script for tracking audiences. When the page loads in the browser I get the error below. I know that is a script encoded as base64 but how do I allow it to execute using the CSP and CORS headers?

Refused to load the script 'data:application/javascript;base64,ZnVuY3Rpb24gcXVhbnRzZXJ2ZSgpe30=' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.cloudflare.com *.quantserve.com".

Here is my headers:

headers {
    contentSecurityPolicy = "default-src 'self' *.cloudflare.com *.quantserve.com;"
    contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" img-src 'self' *.fbcdn.net *.twimg.com *.googleusercontent.com *.xingassets.com *.vk.com *.yimg.com secure.gravatar.com *.stuffpoint.com *.pixabay.com;"
    contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" style-src 'self' 'unsafe-inline' cdnjs.cloudflare.com maxcdn.bootstrapcdn.com cdn.jsdelivr.net fonts.googleapis.com edge.quantserve.com;;"
    contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" font-src 'self' fonts.gstatic.com fonts.googleapis.com cdnjs.cloudflare.com;"
    contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" script-src 'self' 'unsafe-inline' 'unsafe-eval' *.cloudflare.com *.quantserve.com;"
    contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" connect-src 'self' twitter.com *.xing.com;"
    contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" frame-src 'self' 'unsafe-inline' 'unsafe-eval' edge.quantserve.com;"
}

Upvotes: 0

Views: 533

Answers (2)

K G
K G

Reputation: 1

The better way to handle this would be to place it inside a file instead of using inline inside tag.. due to the security concerns from allowing unsafe-inline

Upvotes: 0

StefanOS
StefanOS

Reputation: 2748

Add data: to the script-src line.

contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" script-src 'self' 'unsafe-inline' 'unsafe-eval' data: *.cloudflare.com *.quantserve.com;"

Note: This generally has some security implications but your script-src is so permissive that it offers pretty much no protection anyway.

Upvotes: 1

Related Questions