rajdis Posted July 29, 2018 Posted July 29, 2018 (edited) After using Content-Security-Policy(CSP) the javascriptsfrom other sources are not working properly. What can I do? Part of my .htaccess is: Header set Strict-Transport-Security "max-age=631138519; includeSubDomains"Header unset Content-Security-PolicyHeader set Content-Security-Policy "script-src 'self' 'https://apis.google.com' 'https://www.googletagmanager.com/' 'https://ajax.googleapis.com' 'https://maxcdn.bootstrapcdn.com' 'https://cse.google.com/'"Header unset X-Content-Security-PolicyHeader set X-Content-Security-Policy "default-src 'self' 'https://apis.google.com' 'https://www.googletagmanager.com/' 'https://ajax.googleapis.com 'https://maxcdn.bootstrapcdn.com' 'https://cse.google.com/'"Header unset X-WebKit-CSPHeader set X-WebKit-CSP "default-src 'self' 'https://apis.google.com' 'https://www.googletagmanager.com/' 'https://ajax.googleapis.com' 'https://maxcdn.bootstrapcdn.com' 'https://cse.google.com/'"Header unset Referrer-PolicyHeader set Referrer-Policy: strict-origin-when-cross-origin Edit: The CSS are working Edited July 29, 2018 by rajdis
wolstech Posted July 31, 2018 Posted July 31, 2018 We haven't been paying much attention up here the past few days due to the hack...sorry about that. Try removing the single quotes around the URLs. Also, try removing all of the URLs except one, and see if the matching script loads (with all others being expected to fail). If so, add a second URL, and repeat. Also, your site does use inline scripting which is blocked when using CSP, so your site is going to break to an extent even when it works correctly. 1
rajdis Posted August 1, 2018 Author Posted August 1, 2018 I am getting this following error: 17:00:54.506 Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://distribure.cf https://apis.google.com https://www.googletagmanager.com https://ajax.googleapis.com https://maxcdn.bootstrapcdn.com https://cse.google.com”). Source: window.dataLayer = window.dataLayer |.... 1 web_design.php:117 The updated .htaccess is: Header set Content-Security-Policy "script-src 'self' https://apis.google.com https://www.googletagmanager.com https://ajax.googleapis.com https://maxcdn.bootstrapcdn.com https://cse.google.com ;"
wolstech Posted August 1, 2018 Posted August 1, 2018 I did some digging last night and you're not the first to have this issue here...someone else ran into this a while back too. No fix was ever found. Reports on Google show success sending these using PHP's header() function, perhaps that's an option? Make a file with the code and require() in all relevant pages.
rajdis Posted August 2, 2018 Author Posted August 2, 2018 Okay.I will try that. The CSP is currently removed as I was too much problem in adding JSPs.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now