My team is currently working to prevent clickjacking attacks and would like to add the frame-ancestors directive to our application. We have an Angular app that is served by Yarn. The directive we want to activate is Content-Security-Policy: frame-ancestors 'self'.
We have tried adding frame-ancestors to the meta tag of our index.html page but we receive a warning that this has no effect:
We have also found options to configure it on the server side but there is no information for how to do that with Yarn.
How can we activate Content-Security-Policy: frame-ancestors 'self' in an Angular application?
Related
I am working on a twitch extension and I have created an API externally for the app to connect to. I've had this error now for roughly two days and I can't seem to find a solution to it.
Refused to connect to 'https://community.shadowmont.com/oauth/GetUserProfileDetails' because it violates the following Content Security Policy directive: "connect-src 'self' https://lgqt8zmxwk4v3ubxobrmy8r2f49uc1.ext-twitch.tv https://api.twitch.tv wss://pubsub-edge.twitch.tv https://www.google-analytics.com https://stats.g.doubleclick.net".
The front end is JavaScript / HTML and it's trying to connect to an MVC5 API. I've Googled around for the answer and most posts say to add a meta-tag to the header, but no matter what I try, this does not solve the issue. I'm at a point now where I am not sure what to do.
One of the posts I found told me to add
<meta http-equiv="Content-Security-Policy" content="img-src 'self' data:; default-src 'self' http://XX.XX.XX.XX:8084/mypp/">
But this didn't work.
You need to add any External Domains you connect to in the "Allowlist for URL Fetching Domains" in the Dev Console for your Extension. The same goes for External Media or Images.
Extensions utilise a CSP or Content Security Policy to control/limit/protect Extensions from connecting to unexpected things.
Twitch DOES NOT support the meta tag version of this, as it is less secure. It is overriden/set by the Twitch Extensions CDN Server Headers for security reasons.
To populate these parameters,
Visit the Developer Console.
Manage Your Extension
Manage the Version of the Extension you are working on
Click Capabilities
Scroll to Allowlist for URL Fetching Domains at the bottom.
Add in the URL's as needed.
Further reading
https://dev.twitch.tv/docs/extensions#restrictions-on-content
https://discuss.dev.twitch.tv/t/new-extensions-policy-for-content-security-policy-csp-directives-and-timeline-for-enforcement/33695/
For testing under local test there is this NodeJS Module which you can use as is or copy the relevant logic into your own local test system which will save you having to jump to hosted test/local test too much.
I'm trying to implement a youtube player in my web application. For this i have used the following react library
react-youtube
https://github.com/troybetz/react-youtube
I have implemented it and working in the localhost without any issue. But it stops working in the production build. It gives out an error like the following
Refused to load the script 'https://www.youtube.com/iframe_api' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
What causes this and how can i fix this?
This is most likely because your production server is only allowing you to embed scripts which is coming from its own origin, or script-src 'self'.
This is done using the Content-Security-Policy either as a response header, HTML meta tag or manifest.json file. Please check with the network inspector where this CSP is set. If you are running on a CloudFront or other content network you need to configure it to allow it.
You need to extend this to allow YouTube, eg. extending it like script-src 'self' youtube.com;
Does anyone know how to get CSP, even with the default-src wildcard, to work so a modern Analytics script sends website per-page data (not just home page data) to the site owner's account and so AdSense ads appear?
I tried many variations of CSP for my website, including that proposed in <H5BP.com>'s .htaccess file, but all blocked Google Analytics from producing per-page data (except for the home page) and Google AdSense from accepting ads on any page.
Google's machines did not see the Analytics script although Google's humans always saw it in my website source code. Even setting CSP default-src to the asterisk wildcard failed.
Asking at a Google forum and a non-Google forum got nothing that worked except that people said the problem was with my CSP and I received one email that said that I should comment CSP out completely. That last worked. Commenting out should be no better than default-src wildcard but commenting out is the only way I got ads and inside-the-website data.
I posted to Google about a month ago about the incompatibility but no answer refuted that (https://www.en.advertisercommunity.com/t5/Code-Implementation/content-security-policy-and-Analytics-and-likely-AdSense/m-p/491031).
The Stack Overflow answers at <Google Analytics and Content-Security-Policy header > do not indicate that anyone is getting within-website Analytics data and that thread is based on an outdated Google script.
The thread at <Google analytics.js and Content Security Policy > is for an app, not a website, no one there reported getting within-website Analytics data, and my efforts failed even with the maximally permissive CSP.
A solution is in the thread <Google analytics Universal code not tracking > but the solution is limited to setting CSP to reporting, not blocking, which is not of much use to me.
No Stack Overflow thread is about CSP and AdSense. When I proposed that H5BP tell users about this in their model <.htaccess>, their respondent said it works for him and referred me to you.
As a check on advice, is anyone seeing that page-specific data in their own Google Analytics account and seeing AdSense ads while running .htaccess CSP?
Adsense
For Google adsense, e.g. this CSP "works":
Content-Security-Policy: frame-ancestors 'self';
It prevents your page being framed without putting limits on what your page can do. Hence its XSS protection is nonexistent.
But the Adsense scripts can be loading something that loads, which in turn loads etc. And given the thousands (at the time of writing: 3103 ) 3rd party advertising networks they can use, there simply is no reasonable nor practicable way for us to ever know what all of them could be needing for the ads to function. So to restrict where you're going to let images, flash, javascript etc. be loaded from if you want to have Adsense just is not going to happen.
One or the other:
either Adsense
either a restrictive CSP
But not both.
Analytics
is another matter, already covered in other replies. [not a user]
CSP policies
Potential authors of permissive CSP policies need to be reminded that e.g. https: and * do not include permission for unsafe-inline nor data: sources. I've seen quite a few places around the web where authors assume they do.
While writing policies it might be better to put a report-only one up first.
The header is named "Content-Security-Policy-Report-Only" instead of "Content-Security-Policy" and it'll not stop anything, just do the reporting part in json to the specified destination. See here: https://developers.google.com/web/fundamentals/security/csp/#report-only
No. As of today [8 Sep 16]. We disabled CSP as Google frame source was domain specific -> frame-src : … google.co.uk google.co.fr ...
Using below code works for me :
default-src 'self' googleads.g.doubleclick.net;
script-src 'self' 'unsafe-inline' data: pagead2.googlesyndication.com storage.googleapis.com googleads.g.doubleclick.net ajax.googleapis.com;
img-src 'self' data: storage.googleapis.com pagead2.googlesyndication.com;
style-src 'self' 'unsafe-inline';
font-src 'self' fonts.googleapis.com; frame-ancestors 'self'; object-src 'self'
Or log all error with report-uri for add sources to your CSP.
JSON will POST to that URL (https://example.com/csp/log.php).
Content-Security-Policy: default-src 'self';
report-uri: https://example.com/csp/log.php;
With strict CSP 3, and nonces, I think this is possible but I don't have the ability to test as we don't use AdSense.
1.) Put all javascript in (GA, AdSense, etc.) in .js files. No inline JS.
2.) Use the proposed "strict" CSP: https://csp.withgoogle.com/docs/strict-csp.html
3.) Include the .js files as you normally include any file, but add a nonce:
<script src="/mygooganalytics.js" nonce="[your nonce here]"></script>
The effect should be that anything originating from mygooganalytics.js will be allowed. Nonces are generally created by server-side code (php, ruby, etc.), but if this is outside of your app/in a regular old html file you can generate a nonce using your server. If you happen to use Apache: Generate a nonce with Apache 2.4 (for a Content Security Policy header)
Does anyone know how to get CSP, even with the default-src wildcard, to work so a modern Analytics script sends website per-page data (not just home page data) to the site owner's account and so AdSense ads appear?
I tried many variations of CSP for my website, including that proposed in <H5BP.com>'s .htaccess file, but all blocked Google Analytics from producing per-page data (except for the home page) and Google AdSense from accepting ads on any page.
Google's machines did not see the Analytics script although Google's humans always saw it in my website source code. Even setting CSP default-src to the asterisk wildcard failed.
Asking at a Google forum and a non-Google forum got nothing that worked except that people said the problem was with my CSP and I received one email that said that I should comment CSP out completely. That last worked. Commenting out should be no better than default-src wildcard but commenting out is the only way I got ads and inside-the-website data.
I posted to Google about a month ago about the incompatibility but no answer refuted that (https://www.en.advertisercommunity.com/t5/Code-Implementation/content-security-policy-and-Analytics-and-likely-AdSense/m-p/491031).
The Stack Overflow answers at <Google Analytics and Content-Security-Policy header > do not indicate that anyone is getting within-website Analytics data and that thread is based on an outdated Google script.
The thread at <Google analytics.js and Content Security Policy > is for an app, not a website, no one there reported getting within-website Analytics data, and my efforts failed even with the maximally permissive CSP.
A solution is in the thread <Google analytics Universal code not tracking > but the solution is limited to setting CSP to reporting, not blocking, which is not of much use to me.
No Stack Overflow thread is about CSP and AdSense. When I proposed that H5BP tell users about this in their model <.htaccess>, their respondent said it works for him and referred me to you.
As a check on advice, is anyone seeing that page-specific data in their own Google Analytics account and seeing AdSense ads while running .htaccess CSP?
Adsense
For Google adsense, e.g. this CSP "works":
Content-Security-Policy: frame-ancestors 'self';
It prevents your page being framed without putting limits on what your page can do. Hence its XSS protection is nonexistent.
But the Adsense scripts can be loading something that loads, which in turn loads etc. And given the thousands (at the time of writing: 3103 ) 3rd party advertising networks they can use, there simply is no reasonable nor practicable way for us to ever know what all of them could be needing for the ads to function. So to restrict where you're going to let images, flash, javascript etc. be loaded from if you want to have Adsense just is not going to happen.
One or the other:
either Adsense
either a restrictive CSP
But not both.
Analytics
is another matter, already covered in other replies. [not a user]
CSP policies
Potential authors of permissive CSP policies need to be reminded that e.g. https: and * do not include permission for unsafe-inline nor data: sources. I've seen quite a few places around the web where authors assume they do.
While writing policies it might be better to put a report-only one up first.
The header is named "Content-Security-Policy-Report-Only" instead of "Content-Security-Policy" and it'll not stop anything, just do the reporting part in json to the specified destination. See here: https://developers.google.com/web/fundamentals/security/csp/#report-only
No. As of today [8 Sep 16]. We disabled CSP as Google frame source was domain specific -> frame-src : … google.co.uk google.co.fr ...
Using below code works for me :
default-src 'self' googleads.g.doubleclick.net;
script-src 'self' 'unsafe-inline' data: pagead2.googlesyndication.com storage.googleapis.com googleads.g.doubleclick.net ajax.googleapis.com;
img-src 'self' data: storage.googleapis.com pagead2.googlesyndication.com;
style-src 'self' 'unsafe-inline';
font-src 'self' fonts.googleapis.com; frame-ancestors 'self'; object-src 'self'
Or log all error with report-uri for add sources to your CSP.
JSON will POST to that URL (https://example.com/csp/log.php).
Content-Security-Policy: default-src 'self';
report-uri: https://example.com/csp/log.php;
With strict CSP 3, and nonces, I think this is possible but I don't have the ability to test as we don't use AdSense.
1.) Put all javascript in (GA, AdSense, etc.) in .js files. No inline JS.
2.) Use the proposed "strict" CSP: https://csp.withgoogle.com/docs/strict-csp.html
3.) Include the .js files as you normally include any file, but add a nonce:
<script src="/mygooganalytics.js" nonce="[your nonce here]"></script>
The effect should be that anything originating from mygooganalytics.js will be allowed. Nonces are generally created by server-side code (php, ruby, etc.), but if this is outside of your app/in a regular old html file you can generate a nonce using your server. If you happen to use Apache: Generate a nonce with Apache 2.4 (for a Content Security Policy header)
I'm trying to load an external site in an iframe for my Firefox visitors. The external page is loaded with javascript, and I would like this to be stripped out. For Chrome, the HTML5 sandbox="" works perfectly, and with IE the security="restricted" does the job just fine. With Firefox, I'm struggling.
I've been using the CSP policy directive as described here, but I can't seem to get the right configuration. The following line will load the page, but the javascript on the external site still loads.
header("X-Content-Security-Policy: allow 'self'; object-src 'self'; script-src 'self'; frame-src *.externalsite.com; img-src 'self'");
I've tried dozens of other configurations and seem to have hit a brick wall. Will this work with the CSP directive? Should I look somewhere else to allow an external site to load in an iframe sans javascript in Firefox? Is this even possible in Firefox?