Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Content Security Policy: The page's settings blocked the loading of a resource at self?

Tags:

java

html

security

web-applications

content-security-policy

I have Java-based based web application running on Tomcat 6. My application is running on localhost and port 9001.

To make my application more secure and to reduce the risk of XSS attacks, I added the header Content-Security-Policy with value default-src * 'unsafe-inline' 'unsafe-eval';script-src 'self'. With this I want to allow the web application to load the JavaScript files from same domain.

For other resources it continues to load in the same fashion as it was without this header.

But I am getting the below error.

Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src http://localhost:9001").
like image 989
emilly Avatar asked Oct 31 '15 15:10

emilly

People also ask

How do I fix the Content-Security-Policy of your site blocks the use of eval in JavaScript?

The Content Security Policy (CSP) prevents the evaluation of arbitrary strings as JavaScript to make it more difficult for an attacker to inject unauthorized code on your site. To solve this issue, avoid using eval() , new Function() , setTimeout([string], ...) and setInterval([string], ...) for evaluating strings.

How do I disable Content-Security-Policy of a site blocks some resources?

Click the extension icon to disable Content-Security-Policy header for the tab. Click the extension icon again to re-enable Content-Security-Policy header. Use this only as a last resort. Disabling Content-Security-Policy means disabling features designed to protect you from cross-site scripting.

What is blocked by CSP?

What does blocked:csp mean? You may be seeing blocked:csp in Chrome developer tools when the browser is trying to load a resource. It might show up in the status column as (blocked:csp) CSP stands for Content Security Policy, and it is a browser security mechanism.

How do I turn off Content-Security-Policy in Firefox?

Turn off the CSP for your entire browser in Firefox by disabling security. csp. enable in the about:config menu.

1 Answers

The Content Security Policy header is a white list of trusted sources.

The default-src list is the list used by all other *-src lists. If it is not present, the default is default-src: * which means "all content is allowed from anywhere", which does not provide any protection against XSS.

Therefore, you should start with

  • default-src none, so that all content is disallowed, or
  • default-src 'self', so that only content from your domain is allowed.

After that, other *-src can be replaced as needed. For example, the following trusts self for everything except images, and images are only allowed from example.com (but not from 'self'):

default-src 'self'; img-src example.com;

In your question, you specify default-src * 'unsafe-inline' 'unsafe-eval'; which might be causing the issue since * already implies 'unsafe-inline' and 'unsafe-eval'. It's like saying "allow everything and allow inline and allow eval".

Also note that CSP is supported via the X-Content-Security-Header in IE >= 8.

Sources:

  • http://content-security-policy.com/
  • http://www.w3.org/TR/CSP/
  • http://caniuse.com/#feat=contentsecuritypolicy
like image 119
kuporific Avatar answered Oct 02 '22 05:10

kuporific
Sign in to Comment

Related questions

What does "..." mean in Java? [duplicate]
CXF REST APIs Documentation using Swagger
Spring creates two beans from one class using annotations
Cannot start Netbeans 8.0.1 after JAX-RPC Web Services plugin installation
"Function" with no args and no return type (void) in Java >= 8 [duplicate]
How to use java.util.Optional of a Set with jaxb [duplicate]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!