Header set Content-Security-Policy


#1

My objective is to block 3rd party script or content injection, but allow scripts from my site and Adsense.

There are various versions of a CSP. This is the code Google recommends:

When installed, it displays properly in response headers and passes Google’s CSP Evaluator, the Moz Observatory and Secarma validators.

The collateral damage of above CSP is that it blocks my JavaScripts & Adsense code from displaying, which is contrary to what I’m trying to accomplish.

I already have numerous other security features installed and am not looking for alternatives. I’m trying to determine how to get this header directive to work as intended. Thanks.


#2

No one here is using Content-Security-Policy (CSP) for the security of their sites? That is difficult to believe. CSP is essential to stop malicious script injection.


#3

I think you didn’t get any answer because you’re not providing enough information. How did you set the CSP? I assume you’re using a custom .htaccess, right? What exactly did you put in there? What exactly is the error you see in apache (do you run Apache?) logs?


#4

Is my OP not displaying for you?


#5

It makes no sense to me why that’s not working. That’s syntactically correct for htaccess and pretty much verbatim from the recommended settings from everything I’ve read. The only suggestion I have is to try also adding a default-src header, but it’s a wild shot in the dark.


#6

Thanks for the suggestion. I had already tried that. I’ve tried various versions of this header. None work.

I’m wondering if the problem is that Dreamhost is redirecting my domain to a subdomain “www” (which I chose to do.)


#7

Anyone else care to offer help with CSP?


#8

Hard to make progress when you reported no progress yourself… Have you studied the issue more and learned something new? What else have you tried since your last post? Maybe share your domain so people can check themselves?

While getting my coffee, I have googled around and found that you can set the CSP to report only. Have you tried that to see if maybe that explains in more details why AdSense is blocked?


#9

Report Only does not report.

All other combinations of values set in the CSP (for what I want to do) result in blocking the exact things I want to allow (see earlier post.)

I am installing the CSP header on other sites at other hosts without issue.

I am convinced the cause is the way DH forwards to WWW. IMO this should be looked at because using a CSP benefits us all.


#10

Have you tried the ‘leave it alone’ option for the www redirect?

I asked about report only because it seems that google adsense tends to load a bunch of other scripts from different domains, not just apis.google.com. Also, it should report so I wonder why it doesn’t… it may be related!?

Where are the other domains that seem to work hosted?

I searched online csp with adsense and there seems to be quite a lot of people looking for a solution, so this is not as straightforward as it seems. I found this snippet for example:


#11

Thanks

I need the www because of backlinks and SE indexing. When I have the time I’ll turn it off in the Web Panel and rewrite it in htaccess to see if that makes a difference.

Another indication the www may be the culprit is the Strict-Transport-Security header isn’t working properly either according to one of the security testing tools, blaming sub-domain is not config’d properly. Since I do not use any sub-domains on this account, it must be the www.

If only the Adsense ads were being blocked, I would agree that it could be the various sources used for the ads, however all my in-house javascript is also being blocked. I have tried various versions of the allowed URLs (absolute, relative, www, non-www, with sub-domain & without) & none seem to work.

The other sites, where the basic CSP is working, are hosted all over. A couple at hetzner.de and one at OVH. These are not my sites, just some work I’ve done for site owners.