You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.
My client moved to a new host and the ajax checkout doesn't work among other things.
The console error is
"Content Security Policy: The page’s settings observed the loading of a resource at inline (“script-src”). A CSP report is being sent."
I suspect it's more than the inline scripts (apis.google.com, too).
Can you tell me the headers to include to get rid of this error?
Thank you.
Offline
Can you load the page using your console and provide the headers being sent when the error is triggered? We added the following to the CORE_Display::print_output() function in K9 (right below where the Content-Type header is printed), but I'm not sure if this solves the issue. That would depend on headers being sent:
header('X-XSS-Protection: 1');
Offline
This is v.8. The code you referred to, should I add that somewhere? Where?
Here is the console response. (I searched files on server for "unsafe-inline" and could not find it. Could that be in the apis.google scripts?)
CSI/tbsd_ cb=gapi.loaded_0:265:127
CSI/_tbnd cb=gapi.loaded_0:265:127
Content Security Policy: Ignoring “'unsafe-inline'” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “http:” within script-src: ‘strict-dynamic’ specified
Content Security Policy: The page’s settings observed the loading of a resource at inline (“script-src”). A CSP report is being sent. fastbutton
Content Security Policy: Ignoring “'unsafe-inline'” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “http:” within script-src: ‘strict-dynamic’ specified
Offline
Those aren't the headers, but based on the log entry, I imagine your Apache server is configured to send a 'Content Security Policy' header with a value of ‘strict-dynamic’. You'll want to have your host disable that, or you may be able to override it with a working value like 'unsafe-inline' (basically turning CSP off). Depending on server config, this may have to be done at the server or virtual host level, or you may be able to override the header in your .htaccess file.
Offline
Thank you. I didn't know the server could be configured to disable CSP.
Make it a wonderful day! You certainly deserve it.
Offline