0

I am trying to deploy a web application in my local using apache tomcat as a container. I got a simple page with following in head section:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'">

<link rel="stylesheet" href="pure-min.css">
<link rel="stylesheet" href="styles.css">
<script src="app.js"></script>

and when I try to open the page on safari 14 I got error

Refused to load http://localhost:8080/webapp/app.js because it does not appear in the script-src directive of the Content Security Policy.

I have read documentation here and it looks like 'self' would be enough to load my own resources (for both css and javascript). What am I doing wrong ?

thanks

Sara Boschi
  • 77
  • 5

1 Answers1

0

It can be 2 issues:

  1. The 'self' token does not cover localhost:8080 (with port number) in Safari. But in this case you should have additionally a 2 CSS blocked, not js only.
    To fix just add localhost:8080 to the default-src directive.

  2. Your Apache Tomcat server publish a default CSP via HTTP header. In this case you can't mitigate CSP using the meta tag and have to modify CSP response HTTP header.
    Check do you have a CSP HTTP header published, tutorial is here.

Is this error observed in Safari browser only? What about Chrome/Firefox?

granty
  • 7,234
  • 1
  • 14
  • 21
  • Thanks, I tried to create a custom Filter to define my own CSP but it looks like it is ignored. Filter is executed but in response I found a completely different CSP. It looks. like apache tomcat is overriding my custom filter. – Sara Boschi Feb 07 '21 at 10:43
  • You do not need to create custom Filter in Tomcat since you already have CSP published somewhere. Check the framework you do use, may be it publishes default CSP header. – granty Feb 07 '21 at 11:33