Reputation: 2240
CSP Configuration not allowing for proper loading of assets
I am having an issue with configuration here. Im trying to apply an accurate CSP policy, and it keeps throwing errors when trying to load my react app.
My CSP Policy
"script-src 'strict-dynamic' 'nonce-rAnd0m123' 'unsafe-inline' https://staging.example.org staging.example.org example.org *.example.org *.gstatic.com *.googleapis.com *.google.com *.amazonaws.com *.myservice.io google-analytics.com *.google-analytics.com *.algolianet.com algolianet.com algolia.net *.algolia.net http: https:;
object-src 'none';
base-uri example.org *.example.org;
require-trusted-types-for 'script';
report-uri 'none';
font-src https://staging.example.org staging.example.org example.org *.example.org *.gstatic.com *.googleapis.com *.google.com *.amazonaws.com *.myservice.io google-analytics.com *.google-analytics.com *.algolianet.com algolianet.com algolia.net *.algolia.net;
manifest-src 'self' https://staging.example.org staging.example.org example.org *.example.org *.gstatic.com *.googleapis.com *.google.com *.amazonaws.com *.myservice.io google-analytics.com *.google-analytics.com *.algolianet.com algolianet.com algolia.net *.algolia.net"
The Error
Refused to load the script 'https://staging.example.org/static/js/2.d7.chunk.js' because it violates the following Content Security Policy directive: "script-src 'strict-dynamic' 'nonce-rAnd0m123' 'unsafe-inline' {... } 'strict-dynamic' is present, so host-based allowlisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
I have tried to set script-src-elem to example.org and the many variations that I have applied above, but I am still being met with this error.
note: its not example.org, just replacing my website.
Upvotes: 0
Views: 906
Answers (1)
Reputation: 8496
'strict-dynamic' cancells all host based sources (http: https: inclusive). Therefore you nedd to allow these sources by the 'nonce' token:
<script src="https://staging.example.org/static/js/2.d7.chunk.js" nonce="rAnd0m123">
as all inline <scrpt> blocks (because 'strict-dynamic' cancells 'unsafe-inline' token too):
<script nonce="rAnd0m123">
// some code here
</scrpt>
Also the report-uri does not support 'none' token, so directive will be ignored.
And you have some extra:
staging.example.orghost-source is covered by*.example.orgin the font-src/script-src/manifest-src directiveshttps://staging.example.org: is covered byhttps:in the script-src directivehttp: https:alltogether covers any host-based sources (except sources which use ws: or wss:)
Upvotes: 1
Related Questions
- Loading of a resource blocked by Content Security Policy
- how to add Content Security Policy (CSP)
- Why CSP doesn't allow to load script though meta is configured in ASP.NET Core MVC
- Refused to load scripts because it violates the following Content Security Policy directive
- CSP issue in firefox
- Whats wrong with my CSP? Content Security Policy (CSP) implemented unsafely
- CSP - allowing my own scripts from given directory
- CSP and inline scripts getting blocked
- What is the correct way to load a script with the 'strict-dynamic' CSP directive?
- CSP warning firebug