Content Security Policy


(Donald Hall) #1

Hi All,
I was trying to implement a content security policy on a 1 page test version of my website with the following:

However, the debugger in Safari complains with the following error message (3 instances of same):

<img src="rw_common/themes/delta/images/body_bg.png" alt="" style="width: 3000px; height: 489px;" />

“Refused to apply a stylesheet because its hash, its nonce, or ‘unsafe-inline’ appears in neither the style-src directive nor the default-src directive of the Content Security Policy.”

There is a second error, associated with the email contact script, which is an in-line script:

	<p>&copy; 2016 Apps & More Software Design, Inc. <a href="#" id="rw_email_contact">Contact Apps & More</a><script type="text/javascript">var _rwObsfuscatedHref0 = "mai";var _rwObsfuscatedHref1 = "lto";var _rwObsfuscatedHref2 = ":in";var _rwObsfuscatedHref3 = "fo@";var _rwObsfuscatedHref4 = "app";var _rwObsfuscatedHref5 = "san";var _rwObsfuscatedHref6 = "dmo";var _rwObsfuscatedHref7 = "re.";var _rwObsfuscatedHref8 = "com";var _rwObsfuscatedHref = _rwObsfuscatedHref0+_rwObsfuscatedHref1+_rwObsfuscatedHref2+_rwObsfuscatedHref3+_rwObsfuscatedHref4+_rwObsfuscatedHref5+_rwObsfuscatedHref6+_rwObsfuscatedHref7+_rwObsfuscatedHref8; document.getElementById('rw_email_contact').href = _rwObsfuscatedHref;</script></p>

“Refused to execute a script because its hash, its nonce, or ‘unsafe-inline’ appears in neither the script-src directive nor the default-src directive of the Content Security Policy.”

My question is: how do I include the rw_common folder and the in-line script into my content security policy?

Thanks, Don


(Donald Hall) #2

Replying to my own post because my content security policy did not seem to appear in the original. It is:

http-equiv=“Content-Security-Policy” content="default-src ‘self’; "

within a Meta tag.


(Doug Bennett) #3

The rw_common folder itself should be fine. The problem listed above is you have a style= on the image. You’re not allowed to have inline styles with a content security policy.
inline scripts are not allowed either. They would need to be placed in a file placed within a trusted directory or domain.
CSP can never allow in-line anything as it’s purpose is to direct the browsers to block things that are subject to certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. In-line stuff is subject to these kind of attacks.


(Donald Hall) #4

Thanks for the reply. This was a one page test site made with RapidWeaver 5. So, it looks like a CSP is not possible for an out of the box RapidWeaver generated site. I am actually trying to make my site GDPR compatible, but am not clear if a CSP is required.


(Isaiah Carew) #5

GDPR and Content Security Policy aren’t really related specifically. However some people do use the CSP features built into modern browsers as a way to guarantee that their content doesn’t violate the GDPR.

Content Security Policy is a set of restrictions you can place on the content of the website. This is a technical feature of browsers – no just an agreement. Your site will ask the browser to abide by these restrictions. This is especially useful if your site serves up content that might be coming from elsewhere or from users of the site.

Content Security Policies can have a lot of details. Here’s a pretty simple one that I lifted from an article at Smashing Magazine:


<?php
    header("Content-Security-Policy: 
      default-src 'self' ;
      script-src 'self' www.google-analytics.com stats.g.doubleclick.net ; 
      style-src 'self' data: ;
      img-src 'self' www.google-analytics.com stats.g.doubleclick.net data: ;
      frame-src 'self' ;");
?>

notice that this policy has separate definitions for several different types of content style-src, script-src, etc. and for each it defies which places that type of content can originate from.

your policy content="default-src ‘self’ is very very restrictive. it means that a lot of types of very normal and very safe content will be disallowed.

in the case above an “inline” style is used – that’s one where the style is put right into the page itself. this is very advantageous because it’s very fast – especially important for images. on a page with user-generated content this might be disallowed – because you would not want users to modify the style of the page and hide things other users should see – but on a page generated by RapidWeaver there’s usually no reason to disallow that. so specifying a style-src of ‘unsafe-inline’ (despite the scary sounding name) is probably the way to go.

the Content Security Policy specification was written to make it very difficult to specify something generic, or to write a policy without really understand how they work. i’m fairly certain they did this on purpose. you’ll probably have to do a bit of reading to understand each of the parts and write a policy that is not too restrictive for your content – but restrictive enough to be safe or to abide by the GDPR if that’s your goal.

here are some links to some good details and examples: