3

I've had this issue for awhile but it's only now becoming a real problem.

I implemented Content Security Policy a couple of years ago. I use PHP to set the headers. Here's my header below.

Content-Security-Policy: default-src 'self' www.googleadservices.com ssl.google-analytics.com www.google-analytics.com googleads.g.doubleclick.net

This works perfectly. However, if I change it in any way, the header sent is still the same. Even if I delete the code the server sends it anyway.

I thought the browser might cache this but fresh browsers do the same thing as well as online header checkers. I thought the web server might cache this but modifications to other header directives work fine.

I'm using IIS7.5 with PHP 5.6.31 NTS on Windows Web Server 2008.

This is a weird problem and neither a Google nor an SO search has turned up anything.

Old code:

header("Content-Security-Policy: default-src 'self' www.googleadservices.com 
ssl.google-analytics.com  www.google-analytics.com googleads.g.doubleclick.net
");

New Code:

header("Content-Security-Policy: default-src 'self' www.googleadservices.com 
ssl.google-analytics.com www.google-analytics.com googleads.g.doubleclick.net sealserver.trustwave.com; 
style-src 'self' fonts.googleapis.com; object-src 'none';
");

Resulting header no matter what.

Content-Security-Policy: default-src 'self'  www.googleadservices.com 
ssl.google-analytics.com www.google-analytics.com 
googleads.g.doubleclick.net

Any hints would be appreciated.

Avatar
  • 14,622
  • 9
  • 119
  • 198
Daniel Campbell
  • 31
  • 3
  • Have you checked your `iis` config file? From [this post](https://stackoverflow.com/questions/37992225/config-your-iis-server-to-use-the-content-security-policy-header/37996726#37996726), you can define your CSP in your config file; you might have done so at an earlier date with the original CSP, which is now overriding your new CSP – F. Stephen Q Oct 12 '17 at 15:16
  • I've never set the CSP header anywhere else but I double checked anyway, 'cause you never know. The setting is neither in web.config nor the files in C:\Windows\System32\inetsrv\config. We have some password protected pages that have inline javascript, so I've avoided using CSP site wide. I'll keep looking though. – Daniel Campbell Oct 13 '17 at 22:09
  • For reference, here are my http headers set within the IIS config. X-Frame: Same Origin X-Permitted-Cross-Domain: master-only X-Powered-By: Slurm X-UA-Compatible: IE-Edge X-XSS-Protection: 1:mode-block – Daniel Campbell Oct 13 '17 at 22:19

1 Answers1

0

I use PHP to set the headers. (...) However, if I change it in any way, the header sent is still the same. Even if I delete the code the server sends it anyway.

My best guess for why the old header is being sent: The code is doing something unexpected in a weird place. I would grep the entire source code for any instances of header() and start from there.

For a long-term, easily maintainable solution, you may find CSP-Builder easier than writing them manually.

Scott Arciszewski
  • 33,610
  • 16
  • 89
  • 206