mplementing Content Security Policy

Question

I am trying to imlement Content Security Policy through meta tag on my website https://maxwink.com/.

The directives I used are

<meta http-equiv="Content-Security-Policy"
      content="default-src 'self';
               script-src 'self' 'unsafe-inline';
               font-src fonts.gstatic.com; style-src 'self'
               fonts.googleapis.com 'unsafe-inline'
               https://www.googletagmanager.com
               https://www.google-analytics.com
               https://cdnjs.cloudflare.com"> 

But, I am still getting the error:

Error screenshot

I am facing a hard time resolving this. Please help.

Answer 1

Let's first look at your current policy:

default-src 'self';
script-src 'self' 'unsafe-inline';
font-src fonts.gstatic.com; 
style-src 'self' fonts.googleapis.com 'unsafe-inline' https://www.googletagmanager.com https://www.google-analytics.com https://cdnjs.cloudflare.comenter code here

You first 2 errors say that scripts can't be loaded from www.googletagmanager.com, so you need to add that host to 'script-src' as they are missing.

Errors 3 and 5 say that styles can't be loaded from fonts.googleapis.com, but it also says that the current directive is "style-src 'self' 'unsafe-inline'" which doesn't match the policy in your question. So either the screenshot is from before you added those or you have defined multiple policies, and the stylesheet needs to pass ALL defined policies.

Error 4 says that an inline script was blocked. Now, you have allowed 'unsafe-inline', so you wouldn't expect this. But event attributes isn't allowed by 'unsafe-inline' and adding the provided hash won't help, so it needs to be rewritten. You likely have an onclick or onload (or similar) event that should be done using an event listener instead.