Content Security Policy (CSP)

Hi,

 

On the recommendation of the Content Security Policy (CSP), we added a policy on the web server and our domain stopped opening in Firefox and Safari browsers, while Google chrome opens normally. Then we removed style-src-elem and script-src-elem directives and added ‘self’ value to script-src and style-src directives. Problem for Safari and Firefox was solved, but mobile devices don’t open our site with any browser.

What can you advise?

 

Here is value of CSP

 

default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; child-src 'self' *.site.com; img-src 'self' data: *.tile.openstreetmap.org; font-src 'self' data:; connect-src 'self' *.site.com; frame-ancestors 'self'; form-action 'self'; object-src 'none'

Нравится

1 комментарий

Hello Dmitry!

You need to check CSP policy against ours. When our policy is set, the app works fine in browsers on mobile devices.



Our policy:

img-src data: *.tile.openstreetmap.org 'self' http://*.creatio.com https://*.bpmonline.com https://*.creatio.com http://*.bpmonline.com ; script-src 'unsafe-eval' 'self' 'unsafe-inline' ; connect-src 'self' http://*.creatio.com https://*.bpmonline.com wss://*.bpmonline.com:* wss://tsagent-1-11:88 https://*.creatio.com http://*.bpmonline.com ws://tsagent-1-11:88 ; form-action 'self' ; style-src-elem 'self' 'unsafe-inline' https://fonts.googleapis.com ; script-src-elem 'self' 'unsafe-inline' connect.facebook.net/en_US/all.js ; child-src 'self' http://*.creatio.com https://*.creatio.com ; frame-src 'self' http://*.creatio.com https://*.bpmonline.com https://*.creatio.com http://*.bpmonline.com ; media-src 'self' ; style-src-attr 'self' 'unsafe-inline' ; frame-ancestors 'self' ; font-src 'self' data: https://fonts.gstatic.com ; worker-src 'self' ; manifest-src 'self' ; script-src-attr 'self' 'unsafe-inline' ; prefetch-src 'self' ; style-src 'self' 'unsafe-inline' ; object-src 'none'

Показать все комментарии