Hello,
I have enabled "Content Security Policy", and I have a few questions.
Despite having indicated the scripts and fonts to be authorized, these resources are blocked.
Is my syntax correct? (space or space or comma between 2 resources?)
script-src*.googletagmanager.com *.google-analytics.com 'self'
font-src*.fonts.googleapis.com *.fontawesome.com *.fonts.gstatic.com 'self'
I don't understand why my resources are blocked.
Sorry, I'm not a specialist, for "Vendor Prefixed CSP headers", if I check the 2 checkboxes,
What will be sent to the browser?
1) Send X-Content-Security-Policy + Send X-Content-Security-Policy + Send X-WebKit-CSP
2) Send X-Content-Security-Policy + Send X-WebKit-CSP
3) according to the browser one of them ?
| Comment | File | Size | Author |
|---|---|---|---|
| 2021-03-24_10h55_02.png | 49.78 KB | selinav | |
| Security Kit.pdf | 722.74 KB | selinav |
Comments
Comment #2
jweowu commentedThe space-separated syntax is correct.
Quoting https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Securi...
"*.example.com: Matches all attempts to load from any subdomain of example.com using the current protocol."
So are the resources being requested using the same protocol as the page request? If you requested http://example.com/foo and it tries to include something from https://some.other.domain/bar then the protocol doesn't match (http vs https).
You can answer your own question #2 by looking at the response headers when you request a page.
You can do that on the command line with
curl -I <URL>Alternatively, use your web browser's developer tools (type F12 usually), select the "Network" tab, refresh the page, click on the page request (filter the list by "HTML" if it helps), and then look through the response headers for that request.
Comment #3
jweowu commentedI assume the previous comment resolved the confusion.