Stack Overflow
Stack Overflow

Questions tagged [content-security-policy]

Content Security Policy (CSP) aims to mitigate the risk of cross-site scripting attacks by giving developers fine-grained control over the resources a page is allowed to load, as well as the script it's allowed to execute.

Resources:

  • Mozilla Developer Network's short introduction, which includes a basic description of the policy as well as the goals of the policy.
  • A detailed tutorial which includes details on implementation, best practices, use cases, and speculation about the future of CSP.
  • A working draft for the precise specifications of CSP.
  • Information for Chrome Extension developers that includes how CSP affects extensions and other extension-specific information.
  • CSP support in frameworks
2619 questions
406
votes
3 answers

Content Security Policy "data" not working for base64 Images in Chrome 28

In this simple example, I'm trying to set a CSP header with the meta http-equiv header. I included a base64 image and I'm trying to make Chrome load the image. I thought the data keyword should do that, but somehow it's not working. I just get the…
fwebdev
  • 4,291
  • 2
  • 15
  • 9
348
votes
2 answers

How does Content Security Policy (CSP) work?

I'm getting a bunch of errors in the developer console: Refused to evaluate a string Refused to execute inline script because it violates the following Content Security Policy directive Refused to load the script Refused to load the…
Schlaus
  • 18,144
  • 10
  • 36
  • 64
240
votes
1 answer

What’s the purpose of the HTML "nonce" attribute for script and style elements?

W3C says there is a new attribute in HTML5.1 called nonce for style and script that can be used by the Content Security Policy of a website. I googled about it but finally didn't get it what actually this attribute does and what changes when using…
ata
  • 3,398
  • 5
  • 20
  • 31
220
votes
11 answers

Refused to load the script because it violates the following Content Security Policy directive

When I tried to deploy my app onto devices with Android system above 5.0.0 (Lollipop), I kept getting these kind of error messages: 07-03 18:39:21.621: D/SystemWebChromeClient(9132): file:///android_asset/www/index.html: Line 0 : Refused to load…
MangooSaSa
  • 3,411
  • 3
  • 14
  • 16
174
votes
9 answers

Content Security Policy: The page's settings blocked the loading of a resource

I am using CAPTCHA on page load, but it is blocking because of some security reason. I am facing this problem: Content Security Policy: The page's settings blocked the loading of a resource at …
Shakti Sharma
  • 2,131
  • 3
  • 18
  • 23
124
votes
7 answers

Refused to apply inline style because it violates the following Content Security Policy directive

So, in about 1 hour my extensions failed hard. I was doing my extension and it was doing what I pretended. I made some changes, and as I didnt liked I deleted them, and now my extension is throwing error: Refused to apply inline style because it…
João Beirão
  • 1,431
  • 2
  • 9
  • 13
95
votes
15 answers

Iframe in Chrome error: Failed to read 'localStorage' from 'Window': Access denied for this document

I have a web app which uses localStorage. Now we want to embed this web app on other (third-party) sites via iframe. We want to provide an iframe embed similar to youtube so that other websites can embed our web app in an iframe. Functionally it is…
tschoartschi
  • 1,453
  • 2
  • 14
  • 23
84
votes
3 answers

How to override content security policy while including script in browser JS console?

I was trying to include JQuery on an existing website using console this way: var script = document.createElement('script'); script.src = 'http://code.jquery.com/jquery-1.11.1.min.js'; script.type =…
Pranjal Mittal
  • 10,772
  • 18
  • 74
  • 99
70
votes
5 answers

Allow All Content Security Policy?

Is it possible to configure the Content-Security-Policy to not block anything at all? I'm running a computer security class, and our web hacking project is running into issues on newer versions of Chrome because without any CSP headers, it's…
joshlf
  • 21,822
  • 11
  • 69
  • 96
69
votes
3 answers

How does Content-Security-Policy work with X-Frame-Options?

Does Content-Security-Policy ignore X-Frame-Options, returned by a server, or is X-Frame-Options still primary? Assuming that I have: a website http://a.com with X-Frame-Options: DENY and a website http://b.com with Content-Security-Policy:…
Yeldar Kurmangaliyev
  • 33,467
  • 12
  • 59
  • 101
69
votes
6 answers

Google Fonts violates Content Security Policy

I'm trying to use Google Fonts and I've never had any problems, but now when I try to add the CSS file on my header I get this error on the console: Refused to load the stylesheet 'http://fonts.googleapis.com/css?family=Whatever' because it…
José María
  • 2,835
  • 5
  • 27
  • 42
68
votes
2 answers

Extension refuses to load the script due to Content Security Policy directive

Following is my code of HTML Scripts: HTML:

and…
Maharshi
  • 1,178
  • 1
  • 14
  • 37
62
votes
7 answers

Content Security Policy: "img-src 'self' data:"

I have an app, in which the user would be able to copy an image URL, paste it unto an input and the image will be loaded on a box. But my app, keeps triggering this message: Refused to load the image 'LOREM_IPSUM_URL' because it violates the…
Rafael de Castro
  • 888
  • 4
  • 16
  • 37
60
votes
2 answers

Violating Content Security Policy directive after ember-cli 0.0.47 upgrade

I upgraded my ember-cli app to 0.0.47 and am now getting a bunch of errors in my browser console related to the content security policy. How do I fix this issue? Refused to load the script 'http://use.typekit.net/abcdef.js' because it violates the…
Peter Brown
  • 50,956
  • 18
  • 113
  • 146
58
votes
2 answers

CSP style-src: 'unsafe-inline' - is it worth it?

Currently I'm using Modernizr on all my sites and it turns out because of how it works it requires unsafe-inline styles to be allowed. I am already not allowing inline scripts and unsafe-eval for scripts. Curious as to what security risks there are…
anthony-dandrea
  • 2,583
  • 7
  • 26
  • 46
1
2 3
99 100