1

I have upgraded my application from 2.5.12 to 2.5.18 and am receiving errors when attempting to run this application.

Errors such as:

Refused to load the font '<URL>' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'font-src' was not explicitly set, so 'default-src' is used as a fallback.

Refused to load the font 'http://localhost:9000/assets/css/bootstrap/glyphicons-halflings-regular.woff' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'font-src' was not explicitly set, so 'default-src' is used as a fallback.

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-nOIew6ekpmk+M5QFOFhJ1ur1AuDtJrbuorncKwpAfxA='), or a nonce ('nonce-...') is required to enable inline execution.

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' http://localhost:9000". Either the 'unsafe-inline' keyword, a hash ('sha256-CeNrMsFQ2CxbG0wY6+u/TJVb6zIFWXP9hv08Pgb1MmM='), or a nonce ('nonce-...') is required to enable inline execution.

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' <URL>". Either the 'unsafe-inline' keyword, a hash ('sha256-se3iZ/nePYmAviO9VXXizL4rh7Co8gaWtMzoxdwXqdk='), or a nonce ('nonce-...') is required to enable inline execution.

So, I followed this doc:

https://www.playframework.com/documentation/2.5.18/SecurityHeaders

and read these posts:

Play framework - Content Security Policy setting doesn't work?

Play Framework won't run inline javascript

and updated my application.conf with:

play.modules {
    enabled += "play.filters.headers.SecurityHeadersModule"
}

play.filters {
    # Security headers filter configuration
    headers {
        # The Content-Security-Policy header. If null, the header is not set.
        contentSecurityPolicy = "default-src 'self'; script-src 'self' http://localhost:9000 'unsafe-inline'; connect-src 'self'; img-src 'self' http://localhost:9000; style-src 'self' http://localhost:9000; font-src 'self' http://localhost:9000"
    }
}

However, when I clean, compile, and run the application, I still receive those errors listed above. It seems as if the play.filters is not activating.

I notice that you can add the Content Security Policy into the html page itself - do I need to do both to activate this filter?

I also know I can disable this filter, but it sounds like that is not a good idea.

Dan
  • 940
  • 2
  • 14
  • 42

1 Answers1

0

One thing I spot here is that you need to define that for script-src and style-src and font-src separately.

So in your case:

contentSecurityPolicy = "default-src 'self'; script-src 'self' http://localhost:9000 'unsafe-inline'; connect-src 'self'; img-src 'self' http://localhost:9000; style-src 'self' http://localhost:9000 'unsafe-inline'; font-src 'self' http://localhost:9000 'unsafe-inline'"

This is for the unsafe-inline problem.

Or you can put everything with default-src but you loose a bit of security;).

By the way, I recommend to move all inline-scripts and inline-styles into files - so you have one security thread less.

pme
  • 14,156
  • 3
  • 52
  • 95