Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Content security policy blocking remote CSS background image

Tags:

css

content-security-policy

A background image loaded from a remote server is being blocked by my CSP with the message

Content Security Policy: The page's settings blocked the loading of a resource at self ("default-src * https://xxxxx.com"). Source: background-image: url('https://xxxxx....

Here's my CSP:

<meta http-equiv="Content-Security-Policy" content="default-src * https://xxxxx.com; script-src * 'unsafe-eval' 'unsafe-inline'; img-src 'self' data:">

...where xxxxx is obviously my domain.

I assume it doesn't like url(..., but the CSP spec doesn't seem to consider url() a scheme so I can't see what to do about this. Anyone know?

[UPDATE]

Following @sideshowbarker's comment, I should have pointed out that this call is coming from an inline style attribute (not tag).

like image 794
Mitya Avatar asked Aug 18 '17 11:08

Mitya

1 Answers

That CSP violation message indicates you have inline CSS style content, so you must either move that CSS content to a separate file (and use a link element to reference it) or else you must specify 'unsafe-inline'—for example, by adding a style-src directive to your policy:

<meta http-equiv="Content-Security-Policy"
  content="default-src * https://xxxxx.com;
  script-src * 'unsafe-eval' 'unsafe-inline';
  style-src 'self' 'unsafe-inline';
  img-src 'self' https://xxxxx.com data:">

The reason is, the CSP violation message cited in the question isn’t saying the image in that CSS style content is the problem—it’s just saying you have some inline style content, period.

And as far as CSP is concerned, it doesn’t matter what the inline style content is—it’s just your existing CSP policy doesn’t allow any inline style content all; your existing policy only allows inline scripts, because script-src is the only directive you specified 'unsafe-inline' for.

So if you’re going to keep that inline style content, you mus use 'unsafe-inline' to allow it.

Update: Based on comments below, it seems that once 'unsafe-inline' is added for style-src in this case, it’s also necessary to add https://xxxxx.com for img-src.

All that said, though, once you’ve ended up specifying 'unsafe-inline' for both style content and scripts, it seems like you might be at the point where you need to start considering whether you want to specify a CSP policy at all—because allowing everything inline kind of defeats the purpose of having a CSP policy at all to begin with.

If your goal is to reduce XSS risks, it seems you probably should consider moving all your inline style/script content to separate files, and using <script src> and link to reference those…

like image 115
sideshowbarker Avatar answered Sep 20 '22 12:09

sideshowbarker
Sign in to Comment

Related questions

How to add an empty line in css
Bullet under the list item
How to make marquee text only when it's overflowing?
CSS paged media :last page selector
Equal vertical spacing with a Flexbox column
Add hue to a regular image with CSS
Understanding Render Blocking CSS
add a footer in DT
Bootstrap Navbar collapse point < 768px
Is it better to have multiple media queries or a single media query
css transparent shape over image
target first, even/odd and last element with class, without wrapper, among other elements (nth-of-class behaviour) :)
Media Query is not working in mobile gmail app
Text inside fa-icon
Is it possible to style a CSS class relative to another CSS class (not outer class)?
how can i increase bootstrap modal height
How to add floating action button on the right-bottom side of the screen using material ui in react
make hover effect on different parts of an image, not html but an img
text-align not working on select control on chrome [duplicate]
How to bind CSS 4 custom properties in Angular?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!