Reputation: 1174
Add CSP header to Google Cloud Storage
I'm serving a SPA (Vue-app) from a Google Cloud Storage bucket.
And I'm trying to configure Google Cloud Storage bucket to add a CSP Response header. (Content-Security-Policy: default ...)
I've tried the following, but without success:
1. Adding header with gsutil
Running the following:
gsutil setmeta -h "Content-Security-Policy:${CSP}" gs://{BUCKET_NAME}/index.html
But this returns the following response:
CommandException: Invalid or disallowed header (Content-Security-Policy).
Only these fields (plus x-goog-meta-* fields) can be set or unset:
[u'cache-control', u'content-disposition', u'content-encoding', u'content-language', u'content-type']
It seems this header is not standardly allowed to add.
2. Adding Custom header with prefix with gsutil
I then proceeded to follow their advice and prepend x-goog-meta-* in the hopes they convert it back to Content-Security-Policy themselves. Running the following:
gsutil setmeta -h "x-goog-meta-Content-Security-Policy:${CSP}" gs://{BUCKET_NAME}/index.html
..gives the following response:
Setting metadata on gs://{BUCKET_NAME}/index.html...
/ [1 objects]
Operation completed over 1 objects.
So this works. But upon checking the response headers, they did not alter it to Content-Security-Policy header:
So now I'm a bit clueless how to enable this CSP-header for Google Storage buckets. What am I missing? Or is this simply not possible?
Thanks in advance.
Upvotes: 2
Views: 4384
Answers (3)
Reputation: 130
It is not supported on bucket level, but it is supported at Load Balancer level, check the official Cloud Storage Documentation
Upvotes: 2
Reputation: 2111
Use the following tag within the <head> tag of your the SPA to enable Content-Security-Policy:
<meta http-equiv="Content-Security-Policy" content="default-src https:">
For further information please see the following:
Mozilla: The Document-level Metadata element
Mozilla: Content-Security-Policy
Upvotes: 0
Reputation: 4961
For the moment Google Cloud Storage doesn’t admit customs headers, just the headers included in the documentation.
There is a public feature request for this that you can follow in here.
Upvotes: 2
Related Questions
- Unable to fix CORS policy on Google Cloud storage
- GCP response says MalformedSecurityHeader content-type is not in the request but it is
- google-cloud-storage CORS Setting
- Google Cloud Storage cors policy allow-all
- Google Cloud Storage: No 'Access-Control-Allow-Origin' header is present on the requested resource
- Removing "X-Content-Type-Options: nosniff" header from Google Storage public URL
- Setting Google Cloud Storage access-control-allow-origin header
- Google Cloud Storage set cache-control with signed urls upload
- google-cloud-storage CORS for request headers
- Google Cloud Storage : How to generate Authorization header?