The site says that frame-src is deprecated in favour of child-src when this is not the case

According to the W3C child-src is deprecated in favour of frame-src and worker-src

W3C: https://w3c.github.io/webappsec-csp/#directive-child-src

It would be great to provide a simple instruction that people can use for generating sha256 for their code. For example:

$ echo -n 'box-shadow: none; border: 0px;' | openssl dgst -sha256 -binary | base64

Hi everyone,

because I was sick of reverse-engineering CSP rules every time I integrate a new service into my web projects, I started a list of CSP rules for common cloud services. Just a quick note if someone is looking for Content Security Policy rules and finds this repository.

You can find the list here: https://github.com/jonashaag/content-security-policy-rules and on http://content-security-policy.org

https://www.w3.org/TR/CSP2/#directive-base-uri

I would also suggest adding base-uri 'none'; to the examples because it does not fallback to default-src.

This would be useful to prevent confusion around changes to frame-src being deprecated then un-deprecated.
https://w3c.github.io/webappsec-csp/

Thanks.

Hi,

https://content-security-policy.com/
The site is not using Meta tag probably using server conf .
Using browser console Firefox I can see the CSP line in Response Headers

But if I use Meta tag to set CSP on my testing site I don't see this line .

So I'm wondering does this line is only visible when the CSP is set on the server conf ?
If not, what I am missing ?

Note I'm testing locally.

It's not easy to find good documentation on allowing web sockets. https://outlandish.com/blog/configure-content-security-policy-with-websockets-and-express/ claims you need the domain, but connect-src 'self' ws: wss: seems to be working for me.

In order to be able to link to specific parts of the document, it would be nice to have anchors on each paragraph header. This eases referring to parts on the site for documentation purposes.

It would be great to have instructions or link about Spring configuration.

Here is an instruction: https://docs.spring.io/spring-security/site/docs/4.2.x/reference/html/headers.html#headers-csp and mention that with Spring Boot it's possible to use security.headers.* properties.

It might be helpful to link to further reading, such as:

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
• https://w3c.github.io/webappsec-csp/

There aren't any great resources available for documenting exactly how the CSP reporting API works.

Some advice on how to set this directive, what to expect (from the JSON payload), and what it means would be handy! As well as an explanation of report-uri and report-to directives.

Support for "Content-Security-Policy: sandbox" landed in Firefox last week, but the page on content-security-policy.com claims it is supported in "Firefox 23+", I don't think that can be right.

Example on the site:
script-src 'nonce-r@nd0m'

While nonce is a random string, its character set is limited to base64 characters, so '@' character there does not seem to be allowed:
https://www.w3.org/TR/CSP3/#framework-directive-source-list

I just wanted to give a heads up: the 'frame-src' has been undeprecated, while 'worker-src' has been added to the W3 spec and the child-src has been deprecated (still used as fallback for both 'worker-src' and 'frame-src', which in turn falls back to 'default-src').

Problem

Chrome required unsafe-eval for loading of WebAssembly code. See WebAssembly/content-security-policy#7 and all the linked issues.

Solution

They have now thankfully added a new wasm-eval in w3c/webappsec-csp#293. As it says there, the spec is wrong, reportedly, Chrome/ium 97 accepts wasm-eval while the spec still calls it wasm-unsafe-eval.

More

After all, the issue is so big they draft a whole new spec about that, apparently: https://w3c.github.io/webappsec-csp/

Ironically, I can't load this site in Safari 9.1 (OS X 10.11.4) due to CSP issues:

Refused to load the stylesheet 'https://maxcdn.bootstrapcdn.com/bootswatch/3.3.6/readable/bootstrap.min.css' because it violates the following Content Security Policy directive: "style-src 'self' maxcdn.bootstrapcdn.com fonts.googleapis.com".

Refused to load the stylesheet 'https://maxcdn.bootstrapcdn.com/font-awesome/4.5.0/css/font-awesome.min.css' because it violates the following Content Security Policy directive: "style-src 'self' maxcdn.bootstrapcdn.com fonts.googleapis.com".

It looks like maxcdn.bootstrapcdn.com should be allowed by the policy.

I saw this error in console:

Refused to load the stylesheet 'https://cdn.plyr.io/3.5.10/plyr.css' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.

How to fix it?

The CSP level 3 directives seem to be missing:

• script-src-elem
• script-src-attr
• style-src-elem
• style-src-attr

i have follwing issue with my forum
https://i.imgur.com/FRfHKEE.png
i remove my adblocker and trackers

Content Security Policy: Ignore of „'unsafe-inline'“ loaded in script-src: 'strict-dynamic'
Content Security Policy: Ignore of  „https:“ loaded in script-src: 'strict-dynamic'
Content Security Policy: Ignore of  „http:“ loaded in script-src: 'strict-dynamic

@pfreitag
how can i fix it?

as title, you should look into a free CI like TravisCI for such job

OR

you can use GitHub Page that would save you cost and time for maintainance