I have Java-based based web application running on Tomcat 6. My application is running on localhost and port 9001.
To make my application more secure and to reduce the risk of XSS attacks, I added the header Content-Security-Policy
with value default-src * 'unsafe-inline' 'unsafe-eval';script-src 'self'. With this I want to allow the web application to load the JavaScript files from same domain.
For other resources it continues to load in the same fashion as it was without this header.
But I am getting the below error.
Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src http://localhost:9001").
The Content Security Policy (CSP) prevents the evaluation of arbitrary strings as JavaScript to make it more difficult for an attacker to inject unauthorized code on your site. To solve this issue, avoid using eval() , new Function() , setTimeout([string], ...) and setInterval([string], ...) for evaluating strings.
Click the extension icon to disable Content-Security-Policy header for the tab. Click the extension icon again to re-enable Content-Security-Policy header. Use this only as a last resort. Disabling Content-Security-Policy means disabling features designed to protect you from cross-site scripting.
What does blocked:csp mean? You may be seeing blocked:csp in Chrome developer tools when the browser is trying to load a resource. It might show up in the status column as (blocked:csp) CSP stands for Content Security Policy, and it is a browser security mechanism.
Turn off the CSP for your entire browser in Firefox by disabling security. csp. enable in the about:config menu.
The Content Security Policy header is a white list of trusted sources.
The default-src
list is the list used by all other *-src
lists. If it is not present, the default is default-src: *
which means "all content is allowed from anywhere", which does not provide any protection against XSS.
Therefore, you should start with
default-src none
, so that all content is disallowed, or default-src 'self'
, so that only content from your domain is allowed. After that, other *-src
can be replaced as needed. For example, the following trusts self for everything except images, and images are only allowed from example.com (but not from 'self'):
default-src 'self'; img-src example.com;
In your question, you specify default-src * 'unsafe-inline' 'unsafe-eval';
which might be causing the issue since *
already implies 'unsafe-inline'
and 'unsafe-eval'
. It's like saying "allow everything and allow inline and allow eval".
Also note that CSP is supported via the X-Content-Security-Header
in IE >= 8.
Sources:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With