Content Security Policy (CSP)



On the recommendation of the Content Security Policy (CSP), we added a policy on the web server and our domain stopped opening in Firefox and Safari browsers, while Google chrome opens normally. Then we removed style-src-elem and script-src-elem directives and added ‘self’ value to script-src and style-src directives. Problem for Safari and Firefox was solved, but mobile devices don’t open our site with any browser.

What can you advise?


Here is value of CSP


default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; child-src 'self' *; img-src 'self' data: *; font-src 'self' data:; connect-src 'self' *; frame-ancestors 'self'; form-action 'self'; object-src 'none'


1 комментарий

Hello Dmitry!

You need to check CSP policy against ours. When our policy is set, the app works fine in browsers on mobile devices.

Our policy:
img-src data: * 'self' http://* https://* https://* http://* ; script-src 'unsafe-eval' 'self' 'unsafe-inline' ; connect-src 'self' http://* https://* wss://** wss://tsagent-1-11:88 https://* http://* ws://tsagent-1-11:88 ; form-action 'self' ; style-src-elem 'self' 'unsafe-inline' ; script-src-elem 'self' 'unsafe-inline' ; child-src 'self' http://* https://* ; frame-src 'self' http://* https://* https://* http://* ; media-src 'self' ; style-src-attr 'self' 'unsafe-inline' ; frame-ancestors 'self' ; font-src 'self' data: ; worker-src 'self' ; manifest-src 'self' ; script-src-attr 'self' 'unsafe-inline' ; prefetch-src 'self' ; style-src 'self' 'unsafe-inline' ; object-src 'none'

Показать все комментарии