Questions tagged [content-security-policy]
Content Security Policy (CSP) aims to mitigate the risk of cross-site scripting attacks by giving developers fine-grained control over the resources a page is allowed to load, as well as the script it's allowed to execute.
content-security-policy
2,873
questions
0
votes
0
answers
11
views
Extension and App webworker communication
I've got a PWA with a webworker responding to requests at /api/. I also have an extension that goes with the app and I'd love it to be able to make requests of the PWA. I've tried a number of ways ...
0
votes
0
answers
25
views
Chrome extension manifest file and content_security_policy and inline JS script
I'm using https://github.com/mingyaulee/Blazor.BrowserExtension to make a Chrome browser extension using Blazor WASM / Webassembly.
The library generates the HTML and JS for the extension, one of the ...
0
votes
0
answers
26
views
Can I force https on the browser when javascript library sets img-src?
Using CanadaPost AddressComplete library that has the following snipet:
/* Preload images that are to be used in the css. */
function preloadImage(url) {
var img = new Image();
...
1
vote
0
answers
17
views
CSP directive blocking style src to load in react js mantine
I'm using mantine version 6.0.13 and vite
I'm facing issue after applying the CSP directive in header, mentioned below
CSP"Content-Security-Policy","default-src http://localhost; style-...
0
votes
0
answers
24
views
Is signalR-2.3.0 is Content Security Policy (CSP) compatible or not?
I'm using signalR 2.3.0 version for project.
I've added this lines of code in web.config
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" ...
0
votes
0
answers
12
views
What is the meaning of frame-src 'self' blob:?
I want to restrict my site to blob: only from its own origin.
I thought frame-src 'self' blob: would do that but checking on checked on CSP evaluator the results are:
It shows 'self' & blob.
...
-1
votes
0
answers
23
views
How to decide which is better option to implement nonce or hash for inline scripts-CSP
What if in big application,we use something like below in multiple areas
<button type="button" class="btn btn-primary" onclick="func1()">test</button>
<...
0
votes
0
answers
15
views
How to load/embed PDF file in Chrome Extension?
I'm trying to develop a Google Chrome extension capable of generating PDF files and showing them to the user. I have a sidePanel defined which makes use of the object tag to attempt to embed the PDF ...
0
votes
0
answers
19
views
How to build from webpack 4 to without breaking Content-Security-Policy of not using 'unsafe-eval'?
I'm trying to build through webpack 4 & npm . i facing issue of "EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the ...
0
votes
1
answer
91
views
Is bootstrap.min.js CSP compatible?
I am importing the bootstrap.min.js library file in my AngularJS project. The problem arises when I add the following CSP line to my project:
<httpProtocol>
<customHeaders>
<...
-1
votes
0
answers
11
views
setTimeout in i10n.js work if unsafe-eval removed from Content Security Policy?
I'm working on a project that involves internationalization using i10n.js, and I noticed that setTimeout is used within the script.
Currently, our Content Security Policy (CSP) includes unsafe-eval , ...
-1
votes
0
answers
42
views
"Refused to load the script... because it violates the following Content Security Policy directive, when there is no violation?
Hello I am trying to inject a script within my application and seeing this error when it tries to load.
Refused to load the script
'https://ts-demo02.ndep.ode.ent.nuance.com/chatskins/launch/...
0
votes
0
answers
18
views
Issue in generating UUID after applying Content Security Policy
I have a web application where I generate a UUID using the uuid library and include it as a parameter in a request. The code worked correctly before implementing a Content Security Policy (CSP). After ...
-1
votes
1
answer
20
views
Ways to allow inline script for script-src CSP header without using nonce/hash/unsafe-inline
Is there any way that allows inline script for script-src CSP header without using nonce/hash/unsafe-inline ?
Since our project is huge and there are multiple areas where inline script is present
We ...
0
votes
1
answer
50
views
How to use ngCspNonce in Angular
I am trying to use a nonce in my Content Security Policy in an Angular app.
My content security policy includes:
script-src 'self' 'unsafe-inline' 'strict-dynamic' 'nonce-blahblah'
And a simplified ...