Content security policy blocking remote CSS background image -


a background image loaded remote server being blocked csp message

content security policy: page's settings blocked loading of resource @ self ("default-src * https://xxxxx.com"). source: background-image: url('https://xxxxx....

here's csp:

<meta http-equiv="content-security-policy" content="default-src * https://xxxxx.com; script-src * 'unsafe-eval' 'unsafe-inline'; img-src 'self' data:">

...where xxxxx domain.

i assume doesn't url(..., csp spec doesn't seem consider url() scheme can't see this. know?

[update]

following @sideshowbarker's comment, should have pointed out call coming inline style attribute (not tag).

that csp violation message indicates have inline css style content, must either move css content separate file (and use link element reference it) or else must specify 'unsafe-inline'—for example, adding style-src directive policy:

<meta http-equiv="content-security-policy"   content="default-src * https://xxxxx.com;   script-src * 'unsafe-eval' 'unsafe-inline';   style-src 'self' 'unsafe-inline';   img-src 'self' https://xxxxx.com data:">

the reason is, csp violation message cited in question isn’t saying image in css style content specific problem—it’s saying have inline style content, period.

and far csp concerned, doesn’t matter inline style content is—it’s existing csp policy doesn’t allow inline style content all; existing policy allows inline scripts, because script-src directive have 'unsafe-inline' specified for.

so if you’re going keep inline style content, need use 'unsafe-inline' allow it.

update: based on comments below, seems once 'unsafe-inline' added style-src in case, it’s necessary add https://xxxxx.com img-src.

all said, though, once you’ve ended specifying 'unsafe-inline' both style content , scripts, seems might @ point need start considering whether want specify csp policy @ all—because allowing inline kind of defeats purpose of having csp policy @ begin with.

if goal reduce xss risks, seems should consider moving inline style , script content separate files, , using <script src> , link reference those…


Comments

Post a Comment

Popular posts from this blog

Is there a better way to structure post methods in Class Based Views -

i'm using class based views in django , never specify url in ajax calls , omit action parameter in form because know these requests go through post method of class based view. notice view - profile page make many requests depending on user updating on page - post method become convoluted , if/else mess example: def post(self, request, *args, **kwargs): # handle user changing available date if request.post.get('availabledate') != none: self.updateavailabledate(request) return jsonresponse({'result':'success'}) if request.post.get('newprojectname') != none: creative_user = creativeuserprofile.objects.get(id = request.user.id) project = project.create_project(creative_user, request.post['newprojectname']) project.save() return jsonresponse({'projectid': project.id }) if request.post.get('projectimage') != none , request.files['file']: proj...
Read more

performance - Why is XCHG reg, reg a 3 micro-op instruction on modern Intel architectures? -

i'm doing micro-optimization on performance critical part of code , came across sequence of instructions (in at&t syntax): add %rax, %rbx mov %rdx, %rax mov %rbx, %rdx i thought had use case xchg allow me shave instruction , write: add %rbx, %rax xchg %rax, %rdx however, dimay found agner fog's instruction tables , xchg 3 micro-op instruction 2 cycle latency on sandy bridge, ivy bridge, broadwell, haswell , skylake. 3 whole micro-ops , 2 cycles of latency! 3 micro-ops throws off 4-1-1-1 cadence , 2 cycle latency makes worse original in best case since last 2 instructions in original might execute in parallel. now... cpu might breaking instruction micro-ops equivalent to: mov %rax, %tmp mov %rdx, %rax mov %tmp, %rdx where tmp anonymous internal register , suppose last 2 micro-ops run in parallel latency 2 cycles. given register renaming occurs on these micro-architectures, though, doesn't make sense me done way. why wouldn't register renamer ...
Read more

c# - Asp.net web api : redirect unauthorized requst to forbidden page -

im trying redirect unauthorized request forbidden page instead i'm getting forbidden page in response body , how can fix ? here's startup class : app.createperowincontext(storecontext.create); app.createperowincontext<applicationusermanager>(applicationusermanager.create); app.createperowincontext<applicationsigninmanager>(applicationsigninmanager.create); app.usecookieauthentication(new cookieauthenticationoptions { authenticationtype = defaultauthenticationtypes.applicationcookie, expiretimespan = timespan.fromdays(30), }); app.useexternalsignincookie(defaultauthenticationtypes.externalcookie); app.usetwofactorsignincookie(defaultauthenticationtypes.twofactorcookie, timespan.fromminutes(5)); app.usetwofactorrememberbrowsercookie(defaultauthenticationtypes.twofactorrememberbrowsercookie); the method im trying reach : [httpget] [authorize(roles = "admin")] public string getcurrentusername() { return userman...
Read more