Some google ads start injecting JavaScript and poping ads all over the screen
How can I block these random scripts that are injected through google ads?
This is not perfect, but it seems to be very effective in my case (all pages are SSL) and also prevent SSL mixed mode messages caused by google ads third party plugin scripts...
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests; object-src 'none'">
Content-Security-Policy is critical to prevent mixed content errors
(too many errors can show a "connection not secure" by the browser and memory leaks)
https://blog.cloudflare.com/fixing-the-mixed-content-problem-with-automatic-https-rewrites and
How does Content Security Policy work?
Related
I am working on a twitch extension and I have created an API externally for the app to connect to. I've had this error now for roughly two days and I can't seem to find a solution to it.
Refused to connect to 'https://community.shadowmont.com/oauth/GetUserProfileDetails' because it violates the following Content Security Policy directive: "connect-src 'self' https://lgqt8zmxwk4v3ubxobrmy8r2f49uc1.ext-twitch.tv https://api.twitch.tv wss://pubsub-edge.twitch.tv https://www.google-analytics.com https://stats.g.doubleclick.net".
The front end is JavaScript / HTML and it's trying to connect to an MVC5 API. I've Googled around for the answer and most posts say to add a meta-tag to the header, but no matter what I try, this does not solve the issue. I'm at a point now where I am not sure what to do.
One of the posts I found told me to add
<meta http-equiv="Content-Security-Policy" content="img-src 'self' data:; default-src 'self' http://XX.XX.XX.XX:8084/mypp/">
But this didn't work.
You need to add any External Domains you connect to in the "Allowlist for URL Fetching Domains" in the Dev Console for your Extension. The same goes for External Media or Images.
Extensions utilise a CSP or Content Security Policy to control/limit/protect Extensions from connecting to unexpected things.
Twitch DOES NOT support the meta tag version of this, as it is less secure. It is overriden/set by the Twitch Extensions CDN Server Headers for security reasons.
To populate these parameters,
Visit the Developer Console.
Manage Your Extension
Manage the Version of the Extension you are working on
Click Capabilities
Scroll to Allowlist for URL Fetching Domains at the bottom.
Add in the URL's as needed.
Further reading
https://dev.twitch.tv/docs/extensions#restrictions-on-content
https://discuss.dev.twitch.tv/t/new-extensions-policy-for-content-security-policy-csp-directives-and-timeline-for-enforcement/33695/
For testing under local test there is this NodeJS Module which you can use as is or copy the relevant logic into your own local test system which will save you having to jump to hosted test/local test too much.
I'm creating a Chrome Extension which modifies a script served by the server (which I have no control over) to add new functionality to the website, and I had the following idea:
Block the original script via WebRequest, webRequestBlocking.
Send the url of the blocked script to a script injected into the page.
GET this url from the page's script.
Edit a part of the code (string).
Eval the string.
(Another working way is to redirect it to a local modified script return { redirectUrl: chrome.extension.getURL("modified.js") };, inside the Chrome Extension folder, but then it's impossible to modify it on the fly, that's why I want to eval a modified script)
When I try to eval the string in the 5th step, it says: ...'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'nonce-DFX4zDtBDF32343LjE2DFKMs' 'self' https://website.com".
I've tried to use webRequest.onHeadersReceived to see if I could alter CSP headers (as some answers suggested: Edit Content Security Policy in onHeadersReceived), but there is no "content-security-policy" header.
I can see a Content Security Policy meta tag (I've omitted everything except 'script-src'):
<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-DFX4zDtBDF32343LjE2DFKMs' 'self' https://website.com; base-uri 'none';">
From this answer (https://stackoverflow.com/a/27324485/10364842), Chrome Extensions cannot override CSP of Web pages. But someone replies: I know this is incredibly old, but I came across it while trying to inject Artoo.js into a page. The chrome extension does indeed allow you to modify the page you're looking at and let any content through.
Eval works in the content script, but I need to execute the script in the page's context, because it depends on the global scope.
I'm wondering if it's possible to alter CSP of a Web page through a Chrome Extension, or if there is any other way to accomplish this solely via a Chrome extension?
"Extensions have a content security policy applied to them by default. The default policy restricts the sources from which they can load and resources, and disallows potentially unsafe practices such as the use of eval(). See Default content security policy to learn more about the implications of this.
You can use the "content_security_policy" manifest key to loosen or tighten the default policy. This key is specified in just the same way as the Content-Security-Policy HTTP header. See Using Content Security Policy for a general description of CSP syntax." https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy
Does anyone know how to get CSP, even with the default-src wildcard, to work so a modern Analytics script sends website per-page data (not just home page data) to the site owner's account and so AdSense ads appear?
I tried many variations of CSP for my website, including that proposed in <H5BP.com>'s .htaccess file, but all blocked Google Analytics from producing per-page data (except for the home page) and Google AdSense from accepting ads on any page.
Google's machines did not see the Analytics script although Google's humans always saw it in my website source code. Even setting CSP default-src to the asterisk wildcard failed.
Asking at a Google forum and a non-Google forum got nothing that worked except that people said the problem was with my CSP and I received one email that said that I should comment CSP out completely. That last worked. Commenting out should be no better than default-src wildcard but commenting out is the only way I got ads and inside-the-website data.
I posted to Google about a month ago about the incompatibility but no answer refuted that (https://www.en.advertisercommunity.com/t5/Code-Implementation/content-security-policy-and-Analytics-and-likely-AdSense/m-p/491031).
The Stack Overflow answers at <Google Analytics and Content-Security-Policy header > do not indicate that anyone is getting within-website Analytics data and that thread is based on an outdated Google script.
The thread at <Google analytics.js and Content Security Policy > is for an app, not a website, no one there reported getting within-website Analytics data, and my efforts failed even with the maximally permissive CSP.
A solution is in the thread <Google analytics Universal code not tracking > but the solution is limited to setting CSP to reporting, not blocking, which is not of much use to me.
No Stack Overflow thread is about CSP and AdSense. When I proposed that H5BP tell users about this in their model <.htaccess>, their respondent said it works for him and referred me to you.
As a check on advice, is anyone seeing that page-specific data in their own Google Analytics account and seeing AdSense ads while running .htaccess CSP?
Adsense
For Google adsense, e.g. this CSP "works":
Content-Security-Policy: frame-ancestors 'self';
It prevents your page being framed without putting limits on what your page can do. Hence its XSS protection is nonexistent.
But the Adsense scripts can be loading something that loads, which in turn loads etc. And given the thousands (at the time of writing: 3103 ) 3rd party advertising networks they can use, there simply is no reasonable nor practicable way for us to ever know what all of them could be needing for the ads to function. So to restrict where you're going to let images, flash, javascript etc. be loaded from if you want to have Adsense just is not going to happen.
One or the other:
either Adsense
either a restrictive CSP
But not both.
Analytics
is another matter, already covered in other replies. [not a user]
CSP policies
Potential authors of permissive CSP policies need to be reminded that e.g. https: and * do not include permission for unsafe-inline nor data: sources. I've seen quite a few places around the web where authors assume they do.
While writing policies it might be better to put a report-only one up first.
The header is named "Content-Security-Policy-Report-Only" instead of "Content-Security-Policy" and it'll not stop anything, just do the reporting part in json to the specified destination. See here: https://developers.google.com/web/fundamentals/security/csp/#report-only
No. As of today [8 Sep 16]. We disabled CSP as Google frame source was domain specific -> frame-src : … google.co.uk google.co.fr ...
Using below code works for me :
default-src 'self' googleads.g.doubleclick.net;
script-src 'self' 'unsafe-inline' data: pagead2.googlesyndication.com storage.googleapis.com googleads.g.doubleclick.net ajax.googleapis.com;
img-src 'self' data: storage.googleapis.com pagead2.googlesyndication.com;
style-src 'self' 'unsafe-inline';
font-src 'self' fonts.googleapis.com; frame-ancestors 'self'; object-src 'self'
Or log all error with report-uri for add sources to your CSP.
JSON will POST to that URL (https://example.com/csp/log.php).
Content-Security-Policy: default-src 'self';
report-uri: https://example.com/csp/log.php;
With strict CSP 3, and nonces, I think this is possible but I don't have the ability to test as we don't use AdSense.
1.) Put all javascript in (GA, AdSense, etc.) in .js files. No inline JS.
2.) Use the proposed "strict" CSP: https://csp.withgoogle.com/docs/strict-csp.html
3.) Include the .js files as you normally include any file, but add a nonce:
<script src="/mygooganalytics.js" nonce="[your nonce here]"></script>
The effect should be that anything originating from mygooganalytics.js will be allowed. Nonces are generally created by server-side code (php, ruby, etc.), but if this is outside of your app/in a regular old html file you can generate a nonce using your server. If you happen to use Apache: Generate a nonce with Apache 2.4 (for a Content Security Policy header)
Does anyone know how to get CSP, even with the default-src wildcard, to work so a modern Analytics script sends website per-page data (not just home page data) to the site owner's account and so AdSense ads appear?
I tried many variations of CSP for my website, including that proposed in <H5BP.com>'s .htaccess file, but all blocked Google Analytics from producing per-page data (except for the home page) and Google AdSense from accepting ads on any page.
Google's machines did not see the Analytics script although Google's humans always saw it in my website source code. Even setting CSP default-src to the asterisk wildcard failed.
Asking at a Google forum and a non-Google forum got nothing that worked except that people said the problem was with my CSP and I received one email that said that I should comment CSP out completely. That last worked. Commenting out should be no better than default-src wildcard but commenting out is the only way I got ads and inside-the-website data.
I posted to Google about a month ago about the incompatibility but no answer refuted that (https://www.en.advertisercommunity.com/t5/Code-Implementation/content-security-policy-and-Analytics-and-likely-AdSense/m-p/491031).
The Stack Overflow answers at <Google Analytics and Content-Security-Policy header > do not indicate that anyone is getting within-website Analytics data and that thread is based on an outdated Google script.
The thread at <Google analytics.js and Content Security Policy > is for an app, not a website, no one there reported getting within-website Analytics data, and my efforts failed even with the maximally permissive CSP.
A solution is in the thread <Google analytics Universal code not tracking > but the solution is limited to setting CSP to reporting, not blocking, which is not of much use to me.
No Stack Overflow thread is about CSP and AdSense. When I proposed that H5BP tell users about this in their model <.htaccess>, their respondent said it works for him and referred me to you.
As a check on advice, is anyone seeing that page-specific data in their own Google Analytics account and seeing AdSense ads while running .htaccess CSP?
Adsense
For Google adsense, e.g. this CSP "works":
Content-Security-Policy: frame-ancestors 'self';
It prevents your page being framed without putting limits on what your page can do. Hence its XSS protection is nonexistent.
But the Adsense scripts can be loading something that loads, which in turn loads etc. And given the thousands (at the time of writing: 3103 ) 3rd party advertising networks they can use, there simply is no reasonable nor practicable way for us to ever know what all of them could be needing for the ads to function. So to restrict where you're going to let images, flash, javascript etc. be loaded from if you want to have Adsense just is not going to happen.
One or the other:
either Adsense
either a restrictive CSP
But not both.
Analytics
is another matter, already covered in other replies. [not a user]
CSP policies
Potential authors of permissive CSP policies need to be reminded that e.g. https: and * do not include permission for unsafe-inline nor data: sources. I've seen quite a few places around the web where authors assume they do.
While writing policies it might be better to put a report-only one up first.
The header is named "Content-Security-Policy-Report-Only" instead of "Content-Security-Policy" and it'll not stop anything, just do the reporting part in json to the specified destination. See here: https://developers.google.com/web/fundamentals/security/csp/#report-only
No. As of today [8 Sep 16]. We disabled CSP as Google frame source was domain specific -> frame-src : … google.co.uk google.co.fr ...
Using below code works for me :
default-src 'self' googleads.g.doubleclick.net;
script-src 'self' 'unsafe-inline' data: pagead2.googlesyndication.com storage.googleapis.com googleads.g.doubleclick.net ajax.googleapis.com;
img-src 'self' data: storage.googleapis.com pagead2.googlesyndication.com;
style-src 'self' 'unsafe-inline';
font-src 'self' fonts.googleapis.com; frame-ancestors 'self'; object-src 'self'
Or log all error with report-uri for add sources to your CSP.
JSON will POST to that URL (https://example.com/csp/log.php).
Content-Security-Policy: default-src 'self';
report-uri: https://example.com/csp/log.php;
With strict CSP 3, and nonces, I think this is possible but I don't have the ability to test as we don't use AdSense.
1.) Put all javascript in (GA, AdSense, etc.) in .js files. No inline JS.
2.) Use the proposed "strict" CSP: https://csp.withgoogle.com/docs/strict-csp.html
3.) Include the .js files as you normally include any file, but add a nonce:
<script src="/mygooganalytics.js" nonce="[your nonce here]"></script>
The effect should be that anything originating from mygooganalytics.js will be allowed. Nonces are generally created by server-side code (php, ruby, etc.), but if this is outside of your app/in a regular old html file you can generate a nonce using your server. If you happen to use Apache: Generate a nonce with Apache 2.4 (for a Content Security Policy header)
I'm building a web application (a web site) which has a feature where you can embed it inside your own web site (using an iframe).
So, my app has Google Ads, and sometimes when the it is inside another site as embed (inside an iFrame) it doesn't show Ads, I mean, ads are being rendered, but sometimes that html from google is blank.
I'm concern about the Policy of GoogleAds and to not use iFrames to show ads, but I'm not using iframes to show them, my app is just inside another site as a feature.
My question is: can this be done?, or by that policy I won't be able to show ads on my embed feature?
EDIT 1
This is the content which Google is rendering (inside another iframe of another iframe):
<html>
<head>
</head>
<body style="background-color:transparent" marginwidth="0" marginheight="0">
</body>
</html>
and also, I getting an error on the console:
Blocked a frame with origin "http://googleads.g.doubleclick.net" from
accessing a frame with origin "http://example.com". Protocols,
domains, and ports must match.
where "example.com" is some site that is using my feature
EDIT 2
So, I step at the Network tab of the console, and watch what was calling. Does a GET
http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-XXXX.... With 200 OK always, but sometimes it returns just the blank HTML (posted above) and sometimes the actual html with an AD.
One more thing I didn't tell, I'm using the Asynch new Beta method, not the Synch, so I'm thinking of try the Synch and see what happens.
You might try loading the page outside an IFRAME and run network capture on the traffic to/from Google. Explore the response headers - they might be using X-Frame-Options to prevent illicit click activity on ads. There's likely very little you can do about it aside from doing a server-side request and embedding the response HTML yourself. This will dramatically slow down your page loads and might violate your ad agreement.
EDIT:
After reading your follow-up testing, it sounds more like your site just doesn't meet the criteria of enough ad campaigns to serve ads with every request. I'd look at Google's FAQs or marketing information to find out how often ads are served or why you might not be getting ads on every request. Remember, the ads are for the benefit of the advertiser and they have good tools to make sure their ads are specifically targeted to the right audience to maximize their return. Your site just might not meet enough criteria to get many ads.
EDIT 2: A quick Google search turned up this FAQ for why Ads might not be showing. They seem geared to why ads don't show at all, not intermittent appearance.