Reputation: 21
Apache CSP setting
I've an apache 2.4 acting like reverse proxy. I use a simple form login to authenticate user before to proxy it to target server.
the login page is very simple:
<!doctype html>
<html lang="it">
<head><title>AUTENTICAZIONE</title>
</head>
<body>
<script type="text/javascript">
</script>
<form method="POST" action="/dologin2.html">
Username: <input type="text" name="httpd_username" value="" />
Password: <input type="password" name="httpd_password" value="" />
<input type="submit" name="login" value="Login" />
<input type="hidden" name="httpd_location" value="https://sgsvrsiimws11lx.sistemi.group/primoacc/sigma/app" />
</form>
</body>
</html>
I've a problem with firefox and chrome with this page:
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-AbpHGcgLb+kRsJGnwFEktk7uzpZOCcBY74+YBdrKVGs='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
In my httpd.conf i've already set this:
Header set Content-Security-Policy "frame-ancestors 'unsafe-inline' 'self' sgsvrsiimws11lx.sistemi.group;"
I've set it because some angular object on the backend was not loaded.
I've try to set the Content-Security-Policy in a lot of way but the javascript in the login page has always the error.
with chrome even if I've that error I can login, with firefox no.
How can set correctly in apache the Content-Security-Policy header to works correctly with my login page?
thanks
Upvotes: 1
Views: 5052
Answers (1)
Reputation: 8546
The Header set Content-Security-Policy "frame-ancestors 'unsafe-inline' 'self' sgsvrsiimws11lx.sistemi.group;" does not restricts inline scripts execution.
And you can remove 'unsafe-inline' token because frame-ancestors directive does not support it.
Looks like you "target server" sends a login page with own Content Security Policy having default-src 'self' rule.
Check in Dev Tool what CSP header do you really have in browser, here is tutorial.
If your "target server" publishes its own CSP, you have to add 'unsafe-inline' into it, not into reverse proxy config. The 'unsafe-inline' token should be inserted into script-src directive (or default-src if script-src is not used).
Notice: I hope you know that 'unsafe-inline' reduces ability of CSP protection. You can use 'nonce-value' or 'sha256-AbpHGcgLb+kRsJGnwFEktk7uzpZOCcBY74+YBdrKVGs=' (it's taken from Chrome's warning) to safe allow inline scripts.
Upvotes: 0
Related Questions
- how to add Content Security Policy (CSP)
- Chrome not reporting CSP violations
- How to set right Content Security Policy with apache
- Content Security Policy: resource blocked but CSP is configured to allow it
- CSP issue in firefox
- Whats wrong with my CSP? Content Security Policy (CSP) implemented unsafely
- Javascript bookmarklet on site with CSP in Firefox
- Strange CSP error in Firefox
- Mozilla Observatory says I don't have a CSP, but I do
- Content security policy not working