1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Content Security Policy: This site (*) has a Report-Only policy without a report URI.

Discussion in 'Security' started by postcd, Sep 26, 2022.

  1. #1
    Hello,

    the Firefox v.102 dev. console shows warning from title of this post, while the .htaccess is:

    Header always set X-Xss-Protection "1; mode=block"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Referrer-Policy strict-origin-when-cross-origin
    Header set Content-Security-Policy-Report-Only "style-src *.tawk.to fonts.googleapis.com cdn.jsdelivr.net"
    Header set Content-Security-Policy-Report-Only "script-src *.tawk.to cdn.jsdelivr.net"
    Header set Content-Security-Policy-Report-Only "frame-src *.tawk.to"
    Header set Content-Security-Policy-Report-Only "font-src *.tawk.to fonts.gstatic.com"
    Header set Content-Security-Policy-Report-Only "img-src *.tawk.to cdn.jsdelivr.net tawk.link"
    Header set Content-Security-Policy-Report-Only "connect-src *.tawk.to wss://*.tawk.to"
    Code (markup):
    Do you have idea how to better do the policy so it does not warn me?
    My site is Wordpress. I wanted some simple policy with good protection and whitelist a few external elements.
     
    Solved! View solution.
    postcd, Sep 26, 2022 IP
  2. wmtips

    wmtips Well-Known Member

    Messages:
    598
    Likes Received:
    70
    Best Answers:
    1
    Trophy Points:
    150
    #2
    So you are using the http header that was designed only to report errors to the specified URI and haven't provided this required report-uri...
     
    wmtips, Sep 28, 2022 IP
  3. postcd

    postcd Well-Known Member

    Messages:
    1,037
    Likes Received:
    9
    Best Answers:
    1
    Trophy Points:
    190
    #3
    Yes, i known that. I need to know how else these lines can look like so it allows some external elements without reporting.
     
    postcd, Sep 28, 2022 IP
  4. #4
    If you need to enforce these directives, you need to replace "Content-Security-Policy-Report-Only" with "Content-Security-Policy".

    As a reference, you can see how it is implemented on other sites. For example, looking at the response headers of opensubtitles.com we can see:
    P.S. Note that although multiple CSP headers are allowed, there are some caveats and it is better to have only one Content-Security-Policy header.
     
    Last edited: Sep 30, 2022
    wmtips, Sep 30, 2022 IP
    postcd likes this.