Set Content-Security-Policy via htaccess

Forum Moderators: phranque

Message Too Old, No Replies

Set Content-Security-Policy via htaccess

keyplyr

1:12 am on Aug 16, 2017 (gmt 0)

Objective is to block 3rd party script or content injection, but allow scripts from my site and Adsense.

There are various versions of a CSP. This is the code Google recommends:

Header set Content-Security-Policy "script-src 'self' https://apis.google.com"

[developers.google.com...]

When installed, it displays properly in response headers and passes Google's CSP Evaluator: [csp-evaluator.withgoogle.com...] It also passes validation by the Moz Observatory: [observatory.mozilla.org...]
and Secarma: [securityheaders.io...]

The collateral damage of above CSP is that it blocks my JavaScripts & Adsense code from displaying, which is contrary to what I'm trying to accomplish.

I already have numerous other security features installed and am not looking for alternatives. I'm trying to determine how to get this header directive to work as intended. Thanks.

phranque

1:21 am on Aug 16, 2017 (gmt 0)

are you using a CDN?
are you serving your js resources from the same hostname as the page's url?
have you included the proper hostname of the adsense api server in the Header directive?

TorontoBoy

1:22 am on Aug 16, 2017 (gmt 0)

The CSP whitelists specific sites you tell it. If you forget a site it will not return that site's info to the viewer's browser. All 3d party sites are also banned because the CSP cannot verify it. CSPs need to be specifically designed for an individual site. I have to maintain many sites on my server, so a CSP through htaccess would not work. It does reduce cross site scripting xss risk.

My site's Google translate was shut down when I implemented a CSP. Apparently Google Translate is 3d party, so a browser will reject its content.

I implemented CSP in the header, specific to each site.

Observatory.mozilla.org does not analyze CSP properly. It is a confirmed bug. They are working on it.

keyplyr

1:31 am on Aug 16, 2017 (gmt 0)

aare you using a CDN?
are you serving your js resources from the same hostname as the page's url?
have you included the proper hostname of the adsense api server in the Header directive?

No CDN, same source (self) for all content, Yes, again, the Adsense address is what Google says to use.

Thanks TorontoBoy, I understand all that. I know how it works. I have read a dozen articles from all the authorities. My issue is getting the code to work as intended.

Thanks for the info about Google translate. Good, I block it anyway :)

I implemented CSP in the header, specific to each site.

Do you use

script-src 'self'

I even tried using the full URL of my site, but my scripts were still blocked.

keyplyr

8:28 pm on Aug 16, 2017 (gmt 0)

Anyone use Adsense and use a CSP header set via htaccess ?

TorontoBoy

10:01 pm on Aug 16, 2017 (gmt 0)

To check your CSP with Adsense. load up your modern browser and start your debugger. On your console look for errors. CSP errors will be clearly displayed.

It may be that Google implemented Adsense through a 3d party Google site and would be automatically blocked by the CSP. CSP whitelisting only works for sites directly called by your site. I know this is how Google Translate was banned from my site.

keyplyr

10:25 pm on Aug 16, 2017 (gmt 0)

Thanks TorontoBoy as I said, I've done all that. First I ran report-only. No errors. Then I ran it through the above mentioned validators, no errors.

Besides blocking Adsense, it also blocks *my* scripts coming from the same location... which 'self' should cover, but it's not.

The problem may be with my shared hosting config.