CSP Violation: "blocked-uri": "inline" despite having 'unsafe-inline'

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,


I've just recently started working with the Content-Security-Policy header for my apache/joomla/fedora35 install on a pretty complex website and having some problems.


Here is my current CSP header:


"default-src 'self' 'unsafe-inline'; font-src 'self' fonts.googleapis.com fonts.gstatic.com data:; img-src data: 'self' *.clarity.ms *.googleusercontent.com www.google-analytics.com *.google.com google.com; object-src 'none'; style-src 'self' 'unsafe-inline' fonts.googleapis.com; frame-ancestors 'none'; style-src-elem 'self' fonts.googleapis.com; script-src code.jquery.com *.googlesyndication.com *.facebook.net; script-src-elem 'unsafe-inline' 'self' example.com *.googletagmanager.com; script-src-attr 'self' 'unsafe-inline'; report-uri /csp-hotline.php",


I have the following log entry for my CSP header that shows a _javascript_ resource from my website was blocked by the style-src-elem directive, but I've set both the default-src and style-src-elem directives to allow 'unsafe-inline' scripts. Is that not enough?

Also, it appears quite a few directives require common sites like googleapis and facebook - is there a way to just set them all by default? Will the default-src directive set the default for all directives?


How do I include inline _javascript_? Or is this saying it was okay since it's returning status-code 200?


    "csp-report": {
        "document-uri": "https://example.com/features/complete-guide-to-keylogging",
        "referrer": "https://www.google.com/",
        "violated-directive": "style-src-elem",
        "effective-directive": "style-src-elem",
        "original-policy": "default-src 'self' 'unsafe-inline'; font-src 'self' fonts.googleapis.com fonts.gstatic.com data:; img-src data: 'self' *.clarity.ms *.googleusercontent.com www.google-analytics.com *.google.com google.com; object-src 'none'; style-src 'self' 'unsafe-inline' fonts.googleapis.com; frame-ancestors 'none'; style-src-elem 'self' fonts.googleapis.com; script-src code.jquery.com *.googlesyndication.com *.facebook.net; script-src-elem 'unsafe-inline' 'self' example.com *.googletagmanager.com; script-src-attr 'self' 'unsafe-inline'; report-uri /csp-hotline.php",
        "disposition": "enforce",
        "blocked-uri": "inline",
        "line-number": 2,
        "column-number": 54854,
        "source-file": "https://example.com/media/jui/js/jquery.min.js",
        "status-code": 200,
        "script-sample": ""
    }

Ideas greatly appreciated.

Thanks,
Dave

--

Dave Wreski

President & CEO

Guardian Digital, Inc.

We Make Email Safe



640-800-9446
dwreski@xxxxxxxxxxxxxxxxxxx
https://guardiandigital.com
103 Godwin Ave, Suite 314, Midland Park, NJ 07432

facebook

twitter

linkedin

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux