I have a question on the Content Security Policy using the Play! framework (2.6).
I have added an external library to the project for drawing charts, the javascript file is in the project and the charts are rendering fine.
The problem I am having is my console is spewing out errors left and right. This is the error I keep getting:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-GPjBVmsZjSEoackW5SF7HKgSHcUUBqf1/TJwOl3Co7Y='), or a nonce ('nonce-...') is required to enable inline execution.
While searching for how to fix this problem I came across stuff like include a meta tag in the HTML, which did nothing in Play. I've also tried to put the ContentSecurityHeader in application.conf as explained here: https://www.playframework.com/documentation/2.6.x/SecurityHeaders That also did not work. While developing my project I have also had errors come up regarding default-src 'self', i presume it will be the same type of fix and it's something to do with configuration that I'm not getting right.
If anyone has had to do this type of configuration before I would love some pointers on how to configure my application properly.
Thanks in advance!
Content-Security-Policy is the name of a HTTP response header that modern browsers use to enhance the security of the document (or web page). The Content-Security-Policy header allows you to restrict how resources such as JavaScript, CSS, or pretty much anything that the browser loads.
Example CSP Header with Java By referencing the HTTP Servlet API, we can use the addHeader method of the HttpServletResponse object. response. addHeader("Content-Security-Policy", "default-src 'self'"); Your policy will go inside the second argument of the addHeader method in the example above.
To allow images from a cdn, the following worked for me (Play version 2.6)
play.filters.headers.contentSecurityPolicy = "default-src 'self'; img-src 'self' https://my.img.cdn.com"
The following allowed inline style attributes:
play.filters.headers.contentSecurityPolicy = "default-src 'self'; style-src 'self' 'unsafe-inline'"
However there is a caveat:
Banning inline script is the biggest security win CSP provides, and banning inline style likewise hardens your application. HTML5 Rocks - Content Security Policy (2017-11-18)
add this line play.filters.disabled += "play.filters.headers.SecurityHeadersFilter" to application.conf file, that's works for me
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With