Skip to main content

Questions tagged [content-security-policy]

Ask Question

Content Security Policy (CSP) aims to mitigate the risk of cross-site scripting attacks by giving developers fine-grained control over the resources a page is allowed to load, as well as the script it's allowed to execute.

content-security-policy
2,873 questions
Newest Active Bountied Unanswered
0 votes
0 answers
11 views

Extension and App webworker communication

I've got a PWA with a webworker responding to requests at /api/. I also have an extension that goes with the app and I'd love it to be able to make requests of the PWA. I've tried a number of ways ...
Dave's user avatar
Dave
  • 1,688
0 votes
0 answers
25 views

Chrome extension manifest file and content_security_policy and inline JS script

I'm using https://github.com/mingyaulee/Blazor.BrowserExtension to make a Chrome browser extension using Blazor WASM / Webassembly. The library generates the HTML and JS for the extension, one of the ...
levis84's user avatar
levis84
  • 1,034
0 votes
0 answers
26 views

Can I force https on the browser when javascript library sets img-src?

Using CanadaPost AddressComplete library that has the following snipet: /* Preload images that are to be used in the css. */ function preloadImage(url) { var img = new Image(); ...
Julien Lamarche's user avatar
Julien Lamarche
  • 1,020
1 vote
0 answers
17 views

CSP directive blocking style src to load in react js mantine

I'm using mantine version 6.0.13 and vite I'm facing issue after applying the CSP directive in header, mentioned below CSP"Content-Security-Policy","default-src http://localhost; style-...
Shubham Sharma's user avatar
Shubham Sharma
  • 11
0 votes
0 answers
24 views

Is signalR-2.3.0 is Content Security Policy (CSP) compatible or not?

I'm using signalR 2.3.0 version for project. I've added this lines of code in web.config <httpProtocol> <customHeaders> <add name="Content-Security-Policy" ...
Pritesh Bhatasana's user avatar
Pritesh Bhatasana
  • 11
0 votes
0 answers
12 views

What is the meaning of frame-src 'self' blob:?

I want to restrict my site to blob: only from its own origin. I thought frame-src 'self' blob: would do that but checking on checked on CSP evaluator the results are: It shows 'self' & blob. ...
Vaishali this side's user avatar
Vaishali this side
  • 13
-1 votes
0 answers
23 views

How to decide which is better option to implement nonce or hash for inline scripts-CSP

What if in big application,we use something like below in multiple areas <button type="button" class="btn btn-primary" onclick="func1()">test</button> <...
Anonymous's user avatar
Anonymous
  • 1
0 votes
0 answers
15 views

How to load/embed PDF file in Chrome Extension?

I'm trying to develop a Google Chrome extension capable of generating PDF files and showing them to the user. I have a sidePanel defined which makes use of the object tag to attempt to embed the PDF ...
Mig82's user avatar
Mig82
  • 5,236
0 votes
0 answers
19 views

How to build from webpack 4 to without breaking Content-Security-Policy of not using 'unsafe-eval'?

I'm trying to build through webpack 4 & npm . i facing issue of "EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the ...
gaurav's user avatar
gaurav
  • 1,319
0 votes
1 answer
91 views

Is bootstrap.min.js CSP compatible?

I am importing the bootstrap.min.js library file in my AngularJS project. The problem arises when I add the following CSP line to my project: <httpProtocol> <customHeaders> <...
Abhishek Sharma's user avatar
Abhishek Sharma
  • 1
-1 votes
0 answers
11 views

setTimeout in i10n.js work if unsafe-eval removed from Content Security Policy?

I'm working on a project that involves internationalization using i10n.js, and I noticed that setTimeout is used within the script. Currently, our Content Security Policy (CSP) includes unsafe-eval , ...
Brijrajsinh Jadeja's user avatar
Brijrajsinh Jadeja
  • 1
-1 votes
0 answers
42 views

"Refused to load the script... because it violates the following Content Security Policy directive, when there is no violation?

Hello I am trying to inject a script within my application and seeing this error when it tries to load. Refused to load the script 'https://ts-demo02.ndep.ode.ent.nuance.com/chatskins/launch/...
user20066926's user avatar
user20066926
  • 11
0 votes
0 answers
18 views

Issue in generating UUID after applying Content Security Policy

I have a web application where I generate a UUID using the uuid library and include it as a parameter in a request. The code worked correctly before implementing a Content Security Policy (CSP). After ...
Mezbaul Islam Aunik's user avatar
Mezbaul Islam Aunik
  • 21
-1 votes
1 answer
20 views

Ways to allow inline script for script-src CSP header without using nonce/hash/unsafe-inline

Is there any way that allows inline script for script-src CSP header without using nonce/hash/unsafe-inline ? Since our project is huge and there are multiple areas where inline script is present We ...
Anonymous's user avatar
Anonymous
  • 1
0 votes
1 answer
50 views

How to use ngCspNonce in Angular

I am trying to use a nonce in my Content Security Policy in an Angular app. My content security policy includes: script-src 'self' 'unsafe-inline' 'strict-dynamic' 'nonce-blahblah' And a simplified ...
leremjs's user avatar
leremjs
  • 1,049

15 30 50 per page
1
2 3 4 5
192