Menu
I have defined my security policy as:
default-src 'self'; script-src 'self'; frame-src 'self'; style-src 'self' 'unsafe-inline';
(I still have CSS at the head of several pages).
I have no trouble with Firefox or Chrome (IE doesn't support CSP yet) but, when I try testing in Safari, I get a string of errors like:
Refused to load style from 'http://localhost/styles/alliance.css' because of Content-Security-Policy.
.
.
.
Refused to load image from 'http://localhost/images/Landing1.jpg' because of Content-Security-Policy.
.
.
.
Refused to load script from 'http://localhost/JQuery/jquery-1.7.2.min.js' because of Content-Security-Policy.
The images should be covered by default-src and the other two are listed as "Self" so I don't know why Safari is not accepting my images and scripts. I do not have a Mac so I am using Safari on Windows (5.1.7).
Any ideas? Thank you!
990
CSP is supported by the current versions of all modern desktop browsers: Safari, Chrome, Firefox, and IE Edge. It is also supported in recent versions iOS Safari and Chrome for Android.
In the Safari app on your Mac, use Security settings to turn security warnings on or off. Also enable or disable JavaScript. To change these settings, choose Safari > Settings, then click Security.
Safari 5 is a bit behind in its implementation of CSP. Safari 6 is much better, but I don't think its been released for Windows. I think you're simply seeing implementation bugs. If WebKit nightlies are available for Windows, that might be a good alternative for testing.
Honestly, though, I wouldn't recommend serving the X-WebKit-CSP header to Safari 5. Safari 6, yes, but 5 is a bit too broken to really use.
Note also that you can simplify your policy. Both script-src and frame-src will fall back to default-src. default-src 'self'; style-src 'self' 'unsafe-inline' should have the same effect.
82
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
