Jump to content

Content Security Policy (CSP) Problem


tobean

Recommended Posts

Hi,

I have installed Revive in a subdirectory of my domain and it runs without problems since years.

Now I installed some Content Security Policy rules in the .htaccess file for more security. After doing that the maximum number of the impressions of a campaign is 10. Higher numbers cannot be stored and will be corrected to 10. The priority level is also 10. If I reduce the priority level to a lower number, e.g. 1 the campaign can have only 1 impression.

If I disable the Content Security Policy rule a campaign can have any number of impressions I put in.

Has anyone an idea which additional CSP rules I need?

Here is the relevant part of my rule:

Header set Content-Security-Policy "default-src 'self' ; style-src 'self' 'unsafe-inline' ; script-src 'self' 'unsafe-inline' ; img-src 'self'' ;"

Thanks for all ideas

tobean

 

 

Link to comment
Share on other sites

Hi,

here a some more detailed information from the browser console (Filefox).

 

Page: adserver/www/admin/campaign-edit.php

Error messages:

Content Security Policy: The page settings have blocked the loading of a resource on eval ("script-src"). min.php:409:23
Content Security Policy: The page settings have blocked the loading of a resource on eval ("script-src"). xajax.js:91:142

Uncaught EvalError: call to eval() blocked by CSP (about 20 more messages independant from content security policy declarations)

 

I hope this information will help to fix the problem.

toeban

 

Link to comment
Share on other sites

  • 1 month later...

The message: "Content Security Policy: The page settings have blocked the loading of a resource on eval ("script-src"). xajax.js" means that scripts xajax.js and min.php use eval-expressions. Some locks of eval expressions could be fixed if you have control over scripts.

But following message: "Uncaught EvalError: call to eval() blocked by CSP" leave no chances - the call of eval() function require to use 'unsafe-eval' token in the script-src directive.

Therefore you need at least to have: script-src 'self' 'unsafe-inline'  'unsafe-eval'; in the policy

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...