Please keep discussions on the list.
On 17/09/2021 11:22, gordonisnz@xxxxxxxxx wrote:
On Fri, Sep 17, 2021 at 9:13 PM Ashley Sheridan
<ash@xxxxxxxxxxxxxxxxxxxx> wrote:
You can specify multiple items, but it all needs to be contained within
a single header, see
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP for some examples.
--
Thanks - that's better than my other examples found, However it doesn't work.
Here's my current code :-
header("Content-Security-Policy: default-src 'self'; script-src
'self' google.com *.google.com googleapis.com *.googleapis.com
googletagmanager.com *.googletagmanager.com code.jquery.com; ");
This looks a little different from what you're actually outputting as a
header on the site right now, but it's close enough.
Have you tried slowly building up this CSP list adding one item at a
time and then checking the network tab to see which requests are
blocked/allowed? When I initially load up your site for example, the
only 3 things blocked by CSP are ones that are not included in your CSP
headers. Changing the region shows a few more things being blocked, and
again, they're domains that are specifically not in your CSP allowed header.
One thing that my browser did pick up was that img-src was not a
recognised CSP directive, so perhaps these ones you could add into the
default list, as that should be the fallback I believe.
http://able.kwister.com/map/
if you change the 'region' - it should re-submit the form. However, it
does not respect the 'onchange' command when i change a select field.
Any more advice ? thank you
--
Ashley Sheridan
https://www.ashleysheridan.co.uk
