1

I have my CSP added as below in my code

res.header('Content-Security-Policy',
        "default-src 'self' ; style-src 'self' '<hashvalue>';" +
        "script-src 'self' '<hashvalue>';" +
        "font-src 'self' data: fonts.gstatic.com;" +
        "img-src 'self';" +
        "frame-src 'self'; " +
        "object-src 'none';" +
        "frame-ancestors 'none';"+
        "connect-src 'none';"
    );

After adding this my UI does not load on Firefox

And even though I have set this CSP I get Appscan issue for CSP as

'AppScan detected that the Content-Security-Policy response header is missing or with an insecure policy, which increases exposure to various cross-site injection attacks'

Your help is highly appreciated!

Thanks in advance!

Rani Agrawal
  • 39
  • 1
  • 6
  • I know if you explore this with the Inspector on Chrome it will tell you exactly what resources are blocked by the CSP and which CSP rules were violated. I don't think the Firefox inspector goes into this much detail, unfortunately. – Martin Apr 17 '20 at 13:25
  • It works perfectly fine on Chrome, The UI gets rendered and works as expected – Rani Agrawal Apr 17 '20 at 13:40
  • what does redbot.org tell you? – Martin Apr 17 '20 at 16:46
  • 1
    You may have to disable some firefox browser addons to check if it's caused by an addon? – Martin Apr 17 '20 at 16:48
  • I have disabled all the addons, even I had thought it might be because of some addons but still no luck – Rani Agrawal Apr 20 '20 at 05:34
  • Thanks for the help! I was able to resolve the issue by completely removing style-src which was being over protected by Content Security Policy headers – Rani Agrawal Apr 22 '20 at 09:22
  • Perhaps think about writing and accepting an answer :) – DarkTrick Jul 05 '22 at 13:10

0 Answers0