Kryptronic Software Support Forum

You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.

#1 12-26-2018 18:07:48

Blitzen
Member
From: USA
Registered: 01-01-2005
Posts: 935

Content Security Policy

My client moved to a new host and the ajax checkout doesn't work among other things.

The console error is

"Content Security Policy: The page’s settings observed the loading of a resource at inline (“script-src”). A CSP report is being sent."

I suspect it's more than the inline scripts (apis.google.com, too).
Can you tell me the headers to include to get rid of this error?

Thank you.

Offline

 

#2 12-27-2018 08:28:23

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19232
Website

Re: Content Security Policy

Can you load the page using your console and provide the headers being sent when the error is triggered?  We added the following to the CORE_Display::print_output() function in K9 (right below where the Content-Type header is printed), but I'm not sure if this solves the issue.  That would depend on headers being sent:

Code:

header('X-XSS-Protection: 1');

Nick Hendler

Offline

 

#3 12-27-2018 12:44:24

Blitzen
Member
From: USA
Registered: 01-01-2005
Posts: 935

Re: Content Security Policy

This is v.8. The code you referred to, should I add that somewhere? Where?

Here is the console response. (I searched files on server for "unsafe-inline" and could not find it. Could that be in the apis.google scripts?)

CSI/tbsd_ cb=gapi.loaded_0:265:127
CSI/_tbnd cb=gapi.loaded_0:265:127
Content Security Policy: Ignoring “'unsafe-inline'” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “http:” within script-src: ‘strict-dynamic’ specified
Content Security Policy: The page’s settings observed the loading of a resource at inline (“script-src”). A CSP report is being sent. fastbutton
Content Security Policy: Ignoring “'unsafe-inline'” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “http:” within script-src: ‘strict-dynamic’ specified

Offline

 

#4 12-28-2018 09:01:48

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19232
Website

Re: Content Security Policy

Those aren't the headers, but based on the log entry, I imagine your Apache server is configured to send a 'Content Security Policy' header with a value of ‘strict-dynamic’.  You'll want to have your host disable that, or you may be able to override it with a working value like 'unsafe-inline' (basically turning CSP off).  Depending on server config, this may have to be done at the server or virtual host level, or you may be able to override the header in your .htaccess file.


Nick Hendler

Offline

 

#5 12-28-2018 10:16:09

Blitzen
Member
From: USA
Registered: 01-01-2005
Posts: 935

Re: Content Security Policy

Thank you. I didn't know the server could be configured to disable CSP.
Make it a wonderful day! You certainly deserve it.

Offline

 

Board footer