CODEWITHSUNDEEP
clojurehttp-headersring
stigma
stigma

Reputation: 348

Why is my CSP header middleware not working?

I've written a simple middleware function to add the Content-Security-Policy header to my API routes, I've tried using multiple policies (default-src, img-src, frame-ancestors) pointing to either 'self' or explicitly to "http://localhost:port" but none of these seem to work.

This is my simple middleware:

(defn wrap-content-type-security
  [handler]
  (fn [req]
    (let [resp (handler req)]
      (header resp "Content-Security-Policy" "default-src 'self'"))))

I am able to see the correct header set in my routes: enter image description here

However I'm still getting the usual favicon.ico route error, I do have a dummy route for /favicon.ico just returning some text and this also returns the CSP header.

There's obviously something I'm missing/doing wrong, any help is appreciated.

Thank you.

Edit: Looking more into this, seems like this is a Firefox related issue? I tried to replicate the issue in Chrome and everything seems to be working fine as the favicon does show in the browser tab. enter image description here

However in Firefox, still showing the same issue: enter image description here

Which makes me thing that it's got something to do with that "FaviconLoader.jsm" script? being loaded/shown on the console.

Upvotes: 1

Views: 637

Answers (1)

Juraj Martinka
Juraj Martinka

Reputation: 4358

It seems that your middleware is working (adding the CSP header) but you don't have a proper csp header value. Try adding img-src 'self' and see if it helps.

Btw. you can try Content-Security-Policy-Report-Only until you tune your CSP header.

Upvotes: 1

Related Questions