0

G'day Developer Superheros!

Using default-src 'none' to block everything that’s not explicitly whitelisted elsewhere in the CSP. The only thing I'm struggling with is external HTML loaded by Stripe payment processor and ShareThis social sharing buttons.

Typical violations are htm and html URLs:

https://t.sharethis.com/a/t_.htm
https://js.stripe.com/v3/m-outer-ff599b5032b79ea1f89ba5416bea26e6.html

I can't figure out the correct policy directive/resource type to allow htm and html URLs.

I'm trying to avoid adding these to default-src

Can you please offer guidance or suggestions that might work?

My question is unique in that the suggested duplicate does not identify the correct directive to allow htm and html URLs.

Much Thanks!

born2excite
  • 1
  • 1
  • Does this answer your question? [How does Content Security Policy (CSP) work?](https://stackoverflow.com/questions/30280370/how-does-content-security-policy-csp-work) – Peter Krebs Jun 04 '21 at 12:32
  • `htm` and `html` URLs you shown should be covered by `frame-src` directive. But you are able to figure out it exactly, just check browser console. Firefox: `Content Security Policy: The page's settings blocked the loading of a resource at https://example.com/page.php ("frame-src")`. Chrome: `Refused to frame 'https://example.com/page.php' because it violates the following Content Security Policy directive: "frame-src 'none'"`. Both violation messages related to `frame-src` directive. – granty Jun 04 '21 at 20:42
  • Thanks for the info and recommendation, @granty I'll use the `frame-src` directive as you suggested. Before asking this question, Firefox dev console reported these `htm` and `html` URLs had violated my `default-src 'none'` directive. Hopefully, the `frame-src` suggestion will work. BIG thanks, @granty . – born2excite Jun 05 '21 at 13:11
  • If some fallback-directive is omitted, the [nearest fallback](https://csplite.com/csp62/#final_fallback) (`default-src` finally) is used, therefore it's shown as [violated-directive](https://csplite.com/csp66/#violated-directive). You can make a trick - add all unused fallback-directives with `'none'` key. This is full list: `child-src 'none'; connect-src 'none'; font-src 'none'; frame-src 'none'; img-src 'none'; manifest-src 'none'; media-src 'none'; object-src 'none'; prefetch-src 'none'; script-src 'none'; style-src 'none'; worker-src 'none';`, just remove directives used in your CSP. – granty Jun 05 '21 at 14:57
  • I tried adding the `htm` and `html` URLs to the `frame-src` directive but continued getting CSP violations. I'm happy to report, adding the `htm` and `html` URLs to the `child-src` directive fixed the problem. No more violations now. Why didn't this work when adding to the `frame-src` directive? Maybe has something to do with browser support. I believe in CSP Level 2 `frame-src` was deprecated in favour of the `child-src` directive. Then CSP Level 3, undepreciated `frame-src`. Maybe not all browsers have caught up with the change. I appreciate your help, @granty – born2excite Jun 06 '21 at 07:37

0 Answers0