CODEWITHSUNDEEP
laravelvue.jscontent-security-policy
komelAbbas
komelAbbas

Reputation: 1

Laravel CSP (content security policy) frontegg ui integrate issue

https://github.com/spatie/laravel-csp

https://github.com/frontegg/frontegg-vue

I Need help,

After i added the laravel csp the front egg vue login page not working.

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' https://fonts.googleapis.com 'nonce-loop' 'unsafe-inline' nonce-loop". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'nonce-loop' 'unsafe-inline' nonce-loop". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.

Please help how to fix this issue ?

// frontegg
$this->addDirective(Directive::SCRIPT, 'https://assets.frontegg.com');
$this->addDirective(Directive::CONNECT, 'https://frontegg.com');
$this->addDirective(Directive::CONNECT, 'https://app-g6y1wrdhmmrt.frontegg.com');
$this->addDirective(Directive::IMG, 'https://fronteggprodeustorage.blob.core.windows.net');
$this->addDirective(Directive::STYLE, 'unsafe-inline');

check screenshot for more info

Upvotes: 0

Views: 1152

Answers (2)

komelAbbas
komelAbbas

Reputation: 1

After few days of learning now i am able to fix this:

$this->addDirective(Directive::SCRIPT, 'https://*.frontegg.com');
$this->addDirective(Directive::SCRIPT, 'https://www.gstatic.com');
$this->addDirective(Directive::SCRIPT, 'https://assets.frontegg.com');
$this->addDirective(Directive::STYLE, 'https://*.frontegg.com');
$this->addDirective(Directive::STYLE, 'https://www.gstatic.com');
$this->addDirective(Directive::CONNECT, 'https://*.frontegg.com');
$this->addDirective(Directive::IMG, 'https://fronteggprodeustorage.blob.core.windows.net');

Upvotes: 0

Halvor Sakshaug
Halvor Sakshaug

Reputation: 3475

As the error message and https://www.w3.org/TR/CSP2/#directive-script-src say, if you specify hashes or nonces, you can't specify 'unsafe-inline'. You should remove 'nonce-loop' and nonce-loop from your policy. If you are going to use nonces they should be random and change with each payload.

Upvotes: 0

Related Questions