Welcome to WebmasterWorld Guest from 54.156.58.187

Forum Moderators: Ocean10000 & incrediBILL & phranque

Set Content-Security-Policy via htaccess

     
1:12 am on Aug 16, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:9665
votes: 489


Objective is to block 3rd party script or content injection, but allow scripts from my site and Adsense.

There are various versions of a CSP. This is the code Google recommends:
Header set Content-Security-Policy "script-src 'self' https://apis.google.com"
[developers.google.com...]

When installed, it displays properly in response headers and passes Google's CSP Evaluator: [csp-evaluator.withgoogle.com...] It also passes validation by the Moz Observatory: [observatory.mozilla.org...]
and Secarma: [securityheaders.io...]

The collateral damage of above CSP is that it blocks my JavaScripts & Adsense code from displaying, which is contrary to what I'm trying to accomplish.

I already have numerous other security features installed and am not looking for alternatives. I'm trying to determine how to get this header directive to work as intended. Thanks.
1:21 am on Aug 16, 2017 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10989
votes: 84


are you using a CDN?
are you serving your js resources from the same hostname as the page's url?
have you included the proper hostname of the adsense api server in the Header directive?
1:22 am on Aug 16, 2017 (gmt 0)

Junior Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 141
votes: 12


The CSP whitelists specific sites you tell it. If you forget a site it will not return that site's info to the viewer's browser. All 3d party sites are also banned because the CSP cannot verify it. CSPs need to be specifically designed for an individual site. I have to maintain many sites on my server, so a CSP through htaccess would not work. It does reduce cross site scripting xss risk.

My site's Google translate was shut down when I implemented a CSP. Apparently Google Translate is 3d party, so a browser will reject its content.

I implemented CSP in the header, specific to each site.

Observatory.mozilla.org does not analyze CSP properly. It is a confirmed bug. They are working on it.
1:31 am on Aug 16, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:9665
votes: 489


aare you using a CDN?
are you serving your js resources from the same hostname as the page's url?
have you included the proper hostname of the adsense api server in the Header directive?
No CDN, same source (self) for all content, Yes, again, the Adsense address is what Google says to use.

Thanks TorontoBoy, I understand all that. I know how it works. I have read a dozen articles from all the authorities. My issue is getting the code to work as intended.

Thanks for the info about Google translate. Good, I block it anyway :)

I implemented CSP in the header, specific to each site.
Do you use
script-src 'self'

I even tried using the full URL of my site, but my scripts were still blocked.
8:28 pm on Aug 16, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:9665
votes: 489


Anyone use Adsense and use a CSP header set via htaccess ?
10:01 pm on Aug 16, 2017 (gmt 0)

Junior Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 141
votes: 12


To check your CSP with Adsense. load up your modern browser and start your debugger. On your console look for errors. CSP errors will be clearly displayed.

It may be that Google implemented Adsense through a 3d party Google site and would be automatically blocked by the CSP. CSP whitelisting only works for sites directly called by your site. I know this is how Google Translate was banned from my site.
10:25 pm on Aug 16, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:9665
votes: 489


Thanks TorontoBoy as I said, I've done all that. First I ran report-only. No errors. Then I ran it through the above mentioned validators, no errors.

Besides blocking Adsense, it also blocks *my* scripts coming from the same location... which 'self' should cover, but it's not.

The problem may be with my shared hosting config.