Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Unrecognized Content-Security-Policy directive

Tags:

google-chrome

phpmyadmin

content-security-policy

I noticed after updating to Google Chrome (21.0.1180.89) I’m getting allot of errors in the developer tab; especially if I visit my own phpMyAdmin site.

There are all the same and are some sort of security against Cross-Site Scripting; are there anything I can do to resolve?

Unrecognized Content-Security-Policy directive 'allow'. 
Unrecognized Content-Security-Policy directive 'options'.
like image 560
drsect0r Avatar asked Sep 05 '12 23:09

drsect0r

People also ask

What is Content-Security-Policy directive?

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks.

How do I turn off Content-Security-Policy in Firefox?

Turn off the CSP for your entire browser in Firefox by disabling security. csp. enable in the about:config menu. Note: You must log in to the ELM instance in the new tab of the same browser before you access the resource or configuration picker through Publishing Document Builder.

How do you fix refused to load the script because it violates the following Content-Security-Policy directive?

To fix the issue you have to add `https://localhost:5000` host-source to the script-src directive. Alternatively you can use syntax 'https://localhost:*' to allow any ports.

1 Answers

The allow and options directives are both part of Mozilla's original definition of Content Security Policy. Chrome implements the current W3C standard, which has made several changes from Mozilla's original proposal.

  • allow has been replaced with default-src, and sets a default source list for the other CSP directives.
  • options has been replaced with 'unsafe-inline' and 'unsafe-eval' (with the single-quotes) sources on either the script-src or style-src directives.

Both of those old-style directive still work in Firefox, using the X-Content-Security-Policy header. If a website delivers a WebKit-prefixed header (X-WebKit-CSP), it should use the current standard.

Note that WebKit has implemented the unprefixed header (Content-Security-Policy) in trunk, and it should be rolling out to stable WebKit-based browsers over the next few months. If you're not already setting the canonical header, now is a good time to start thinking about it. :)

like image 156
Mike West Avatar answered Jan 02 '23 10:01

Mike West
Sign in to Comment

Related questions

Use specific Android System WebView
Why is Unicode combining character order different between IDEA and Chrome?
Incorrect value of click event layerX on svg foreignObject element
Google Chrome Lighthouse/Audit Reduce JavaScript execution time - what is "Other"
Avoid page break inside in header table with rowspan not working (printing)
How to get the rendered font in JavaScript?
ConnectionResetError: [WinError 10054] An existing connection was forcibly closed by the remote host error with ChromeDriver Chrome Selenium Django
NaCl helper process running without a sandbox error using Chrome through Selenium in Linux
How does really work rendering in browser (event loop)
Is there any chance Chrome OS will support .NET framework? [closed]
Safari and Chrome modifying form data on back button
Chrome Extension Background Page Show Popup Page
checked="checked" not rendering as checked radio button in Chrome
Chrome onpopstate / pushState bug?
Chrome Renders CSS Differently Online vs Offline?
Javascript code to force html page to open in Chrome browser?
HTML5 audio with a HTTP 302 redirect in Chrome
Why is Chrome ignoring text input's "size" attribute?
What is NaCl Socket API?
Chrome Extension: close background page after closing Chrome

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!