1

So i have been trying to use a google programmable search engine script, but i am having trouble with the meta tag. The meta tag that i have included in my is as follows:

<meta http-equiv="Content-Security-Policy" content="script-src *.google.com 'self';">

However, i am still getting an error telling me it refused to load the script because it violates the "content-security-policy directive: "script-src 'self'""

I am wondering whether it inherits some sort of settings from somewhere else, as it doesn't accept the new script-src i am setting, however it does accept the new script-src if i set it to 'none'.

By the way, I am very new to html, so i might be making some obvious mistake.

johan
  • 21
  • 1
  • 4

1 Answers1

1

Looks like you have 2 Content-Security-Policy issued. If multiple CSPs the strictest rules from both will apply (all sources/tokens should pass via both CSPs unscratched).

Content Security Policy could be delivered 2 ways:

  • via HTTP header Content-Security-Policy: (prefereed)
  • via meta-tag (restricted possibilities)

So you need to check for double <meta http-equiv="Content-Security-Policy" in the HTML code.

And check the HTTP response headers(because CMS could publush CSP by default) in the browser developers tool (Crtl+Shift+i in Chrome and Crtl+Shift+k in Fifrefox -> Network tab -> select main page at the left window and look Response headers): response headers in the browser console

granty
  • 7,234
  • 1
  • 14
  • 21
  • Yes, it seems it is coming from the response header. I have never worked with HTTP response headers or anything server related (which i assume this is?) - how would one go about changing this? – johan Sep 28 '20 at 07:46
  • By default Web-server does not publish CSP headers, therefore search vectors:1. Headers plugin for CMS (most probability). 2. File .htaccess or nginx config, see https://csplite.com/csp31/ 3. PHP-server: header() function in code. 4. Java-server: Headers() construct. – granty Sep 28 '20 at 16:24
  • Thank you very much, i will give this a try when i have some more time, as this is completely new to me, so it will probably take me some time to understand fully. – johan Oct 02 '20 at 07:36