Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Content Security Policy not allowing form submission

Please I need assistance here. I have a form to submit to another url but when I try to submit it, it refuses to submit and I was checking my console.

On Chrome, I see the following errors

resources2.aspx?HCCID=75694719&culture=en-US&mlcv=3006&template=5:7 Refused to load the image 'https://s4.mylivechat.com/livechat2/images/sprite.png' because it violates the following Content Security Policy directive: "img-src 'self' data:".

Refused to send form data to 'https://cipg.stanbicibtcbank.com/MerchantServices/MakePayment.aspx' because it violates the following Content Security Policy directive: "form-action 'self'".

and on Mozilla Firefox I see the following:

Content Security Policy: The page’s settings blocked the loading of a resource at https://s4.mylivechat.com/livechat2/images/sprite.png (“img-src http://smehelp.themarketplace.ng data:”)

Content Security Policy: The page’s settings blocked the loading of a resource at http://smehelp.themarketplace.ng/purchase/summary (“form-action 'self'”).

Checking around the web for solution, I have added the following to my page header

        <meta http-equiv="Content-Security-Policy" content="form-action 'self'">

but the problem still persists.

This results in the fact that I am not able to submit my forms. Earlier, the forms used to get submitted, but I just tried it today and observed this error.

I am running on Google Chrome Version 55.0.2883.95 (64-bit) on a MAC OS.

I will appreciate any suggestion to solve this issue as soon as possible.

Thank you

like image 306
Josh Avatar asked Jan 30 '17 18:01

Josh


People also ask

How do I enable Content-Security-Policy?

To enable CSP for instrumented applications, you add the following required directives in the Content-Security-Policy header: script-src. connect-src.

How do I know if CSP is enabled?

Once the page source is shown, find out whether a CSP is present in a meta tag. Conduct a find (Ctrl-F on Windows, Cmd-F on Mac) and search for the term “Content-Security-Policy”. If “Content-Security-Policy” is found, the CSP will be the code that comes after that term.

Is Content-Security-Policy deprecated?

CSP provides mechanisms to websites to restrict content that browsers will be allowed to load. X-Content-Security-Policy and X-Webkit-CSP HTTP headers are deprecated to implement CSP.


1 Answers

You are passing the Content-Security-Policy value in your response header:

base-uri 'none'; default-src 'self' https://s4.mylivechat.com; child-src 'none'; connect-src 'self'; font-src 'self' https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com https://fonts.gstatic.com; form-action 'self'; frame-ancestors 'none'; img-src 'self' data:; media-src 'self'; object-src 'none'; script-src 'self' https://www.youtube.com https://maps.google.com https://www.google-analytics.com https://mylivechat.com https://s4.mylivechat.com https://maps.googleapis.com 'unsafe-inline' 'unsafe-eval'; style-src 'self' https://fonts.googleapis.com https://s4.mylivechat.com https://maxcdn.bootstrapcdn.com 'unsafe-inline'

The content security policy that you've added to the page meta will be ignored as this is present in the response header.

You will need to make the following additions (in bold) to your CSP that you are sending in your response header.

base-uri 'none'; default-src 'self' https://s4.mylivechat.com; child-src 'none'; connect-src 'self'; font-src 'self' https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com https://fonts.gstatic.com; form-action 'self' https://cipg.stanbicibtcbank.com/MerchantServices/MakePayment.aspx; frame-ancestors 'none'; img-src 'self' data: https://s4.mylivechat.com; media-src 'self'; object-src 'none'; script-src 'self' https://www.youtube.com https://maps.google.com https://www.google-analytics.com https://mylivechat.com https://s4.mylivechat.com https://maps.googleapis.com 'unsafe-inline' 'unsafe-eval'; style-src 'self' https://fonts.googleapis.com https://s4.mylivechat.com https://maxcdn.bootstrapcdn.com 'unsafe-inline';

  • Add https://s4.mylivechat.com to img-src
  • Add https://cipg.stanbicibtcbank.com/MerchantServices/MakePayment.aspx to form-action
  • Remove <meta http-equiv="Content-Security-Policy" content="form-action 'self'"> from your HTML code
like image 147
Anand Bhat Avatar answered Sep 25 '22 04:09

Anand Bhat