Content-Security-Policy for a WordPress website.

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Content-Security-Policy for a WordPress website.

Jason Long
Hello,
When I added "Header set Content-Security-Policy "default-src 'self';"" to "httpd.conf" then my website style and some graphical features are disable.
Why?

Thank you.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Content-Security-Policy for a WordPress website.

John Iliffe
Are you sure the header is coded properly?

I've never used it but here is an example:

        Content-Security-Policy: default-src 'self'

Note there are no ' "" ' around the default-src.

My reference is:
         https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Regards,

John
============================================
On Thu, 2020-09-17 at 19:27 +0000, Jason Long wrote:

> Hello,
> When I added "Header set Content-Security-Policy "default-src
> 'self';"" to "httpd.conf" then my website style and some graphical
> features are disable.
> Why?
>
> Thank you.
>
> --------------------------------------------------------------------
> -
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Content-Security-Policy for a WordPress website.

Jason Long
How can I sure?
Syntax is : Header set Content-Security-Policy default-src 'self'






On Friday, September 18, 2020, 12:06:27 AM GMT+4:30, John <[hidden email]> wrote:





Are you sure the header is coded properly?

I've never used it but here is an example:

    Content-Security-Policy: default-src 'self'

Note there are no ' "" ' around the default-src.

My reference is:
    https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Regards,

John
============================================
On Thu, 2020-09-17 at 19:27 +0000, Jason Long wrote:

> Hello,
> When I added "Header set Content-Security-Policy "default-src
> 'self';"" to "httpd.conf" then my website style and some graphical
> features are disable.
> Why?
>
> Thank you.
>
> --------------------------------------------------------------------
> -
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]

>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Content-Security-Policy for a WordPress website.

Jim Albert
In reply to this post by Jason Long
On 9/17/2020 3:27 PM, Jason Long wrote:
> Hello,
> When I added "Header set Content-Security-Policy "default-src 'self';"" to "httpd.conf" then my website style and some graphical features are disable.
> Why?
>
> Thank you.
>
>

Use your browser's developer tools (usually F12) to view your console
errors and warnings. The console will tell you what content your CSP
might be blocking.
Until you have your CSP set properly you can use a report only CSP
header to report what's getting blocked without actually blocking it.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Jim


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Content-Security-Policy for a WordPress website.

Jim Albert
On 9/17/2020 4:17 PM, Jim Albert wrote:

> On 9/17/2020 3:27 PM, Jason Long wrote:
>> Hello,
>> When I added "Header set Content-Security-Policy "default-src
>> 'self';"" to "httpd.conf" then my website style and some graphical
>> features are disable.
>> Why?
>>
>> Thank you.
>>
>>
>
> Use your browser's developer tools (usually F12) to view your console
> errors and warnings. The console will tell you what content your CSP
> might be blocking.
> Until you have your CSP set properly you can use a report only CSP
> header to report what's getting blocked without actually blocking it.
>
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only 
>
> https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
>

Sorry.. I should have phrased the above as:
"Until you have your CSP set properly you can use a report only CSP
header to report what's in violation of your CSP without actually
blocking it."

Jim

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]