Kryptronic Software Support Forum
You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.
#1 12-26-2018 18:07:48
- Blitzen
- Member
- From: USA
- Registered: 01-01-2005
- Posts: 936
Content Security Policy
My client moved to a new host and the ajax checkout doesn't work among other things.
The console error is
"Content Security Policy: The page’s settings observed the loading of a resource at inline (“script-src”). A CSP report is being sent."
I suspect it's more than the inline scripts (apis.google.com, too).
Can you tell me the headers to include to get rid of this error?
Thank you.
Offline
#2 12-27-2018 08:28:23
Re: Content Security Policy
Can you load the page using your console and provide the headers being sent when the error is triggered? We added the following to the CORE_Display::print_output() function in K9 (right below where the Content-Type header is printed), but I'm not sure if this solves the issue. That would depend on headers being sent:
Code:
header('X-XSS-Protection: 1');Nick Hendler
Offline
#3 12-27-2018 12:44:24
- Blitzen
- Member
- From: USA
- Registered: 01-01-2005
- Posts: 936
Re: Content Security Policy
This is v.8. The code you referred to, should I add that somewhere? Where?
Here is the console response. (I searched files on server for "unsafe-inline" and could not find it. Could that be in the apis.google scripts?)
CSI/tbsd_ cb=gapi.loaded_0:265:127
CSI/_tbnd cb=gapi.loaded_0:265:127
Content Security Policy: Ignoring “'unsafe-inline'” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “http:” within script-src: ‘strict-dynamic’ specified
Content Security Policy: The page’s settings observed the loading of a resource at inline (“script-src”). A CSP report is being sent. fastbutton
Content Security Policy: Ignoring “'unsafe-inline'” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified
Content Security Policy: Ignoring “http:” within script-src: ‘strict-dynamic’ specified
Offline
#4 12-28-2018 09:01:48
Re: Content Security Policy
Those aren't the headers, but based on the log entry, I imagine your Apache server is configured to send a 'Content Security Policy' header with a value of ‘strict-dynamic’. You'll want to have your host disable that, or you may be able to override it with a working value like 'unsafe-inline' (basically turning CSP off). Depending on server config, this may have to be done at the server or virtual host level, or you may be able to override the header in your .htaccess file.
Nick Hendler
Offline
#5 12-28-2018 10:16:09
- Blitzen
- Member
- From: USA
- Registered: 01-01-2005
- Posts: 936
Re: Content Security Policy
Thank you. I didn't know the server could be configured to disable CSP.
Make it a wonderful day! You certainly deserve it.
Offline