Reputation: 1015
Disable Content Security Policy in JSP/Spring
Within my view.jsp file I'm using the "object"-tag to link to another page. It's looks like:
<object
data="https://thisIsAnExample"
height="540" style="overflow: hidden;" type="text/html" width="960">
</object>
But when invoking the view it says:
Blockt from the Content Security Policy.
I already tried to add some meta data in the head of the .jsp file like
<meta http-equiv="Content-Security-Policy" content="object-src 'https:/thisIsAnExample';">
or
<meta http-equiv="Content-Security-Policy" content="sandbox">
But nothing works!
Are there any recommendations?
Thanks!
Upvotes: 1
Views: 3591
Answers (1)
Reputation: 120476
<meta http-equiv> doesn't affect CSP when there's a Content-Security-Policy header by design. If it did, then an attacker who could inject content could override the Content-Security-Policy and inject a script. See also https://stackoverflow.com/a/41345974/20394
You'll have to modify the code that generates the Content-Security-Policy header to add an object-src like
object-src https://thisIsAnExample;
Note that quotes are not required.
If there's a security specialist on your team, talk to them.
Upvotes: 2
Related Questions
- Spring Boot: How to change the Content Security Policy at runtime?
- configuring Content-Security-Policy in tomcat
- Content-Security-Policy Spring Security
- How to set right Content Security Policy with apache
- JSP Tomcat security-constraint always fails
- Content Security Policy deactivate
- Exclude a JSP from web.xml's security-contraint
- How do I whitelist a JSP page with Tomcat's CSRFPrevention Filter?
- JSP - java.security.AccessControlException: access denied
- How to specify the content security policy in netbeans lightweight webserver?