Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Shield adds attributes to the CSP policy that aren't specified. #152

Open
smithcoin opened this issue Oct 25, 2024 · 0 comments
Open

Shield adds attributes to the CSP policy that aren't specified. #152

smithcoin opened this issue Oct 25, 2024 · 0 comments
Labels
triage Tracking: Needs Triage

Comments

@smithcoin
Copy link

smithcoin commented Oct 25, 2024
edited
Loading

Using the following configuration on my website:

        shield({
            sri: { 
                enableStatic: true,
                scriptsAllowListUrls: [
                    'https://consent.cookiebot.com/uc.js',
                    'https://consent.cookiebot.com/<ATTRIBUTE>/cd.js',
                    'https://www.googletagmanager.com/gtag/js?id=<TAG>'
                  ],
             },
            securityHeaders: {
                enableOnStaticPages: {
                    provider: "netlify"
                },
                contentSecurityPolicy: {
                    // Needed for astro-shield
                }
            }
        })

The following errors are seen in the console:

Content-Security-Policy warnings 5
Content-Security-Policy: Ignoring “'unsafe-inline'” within script-src: ‘strict-dynamic’ specified [digitalmint.io](https://digitalmint.io/)
Content-Security-Policy: Ignoring “'self'” within script-src: ‘strict-dynamic’ specified [digitalmint.io](https://digitalmint.io/)
Content-Security-Policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified [digitalmint.io](https://digitalmint.io/)
Content-Security-Policy: Ignoring “http:” within script-src: ‘strict-dynamic’ specified [digitalmint.io](https://digitalmint.io/)
Content-Security-Policy: Ignoring “'unsafe-inline'” within script-src: nonce-source or hash-source specified

and None of the “sha256” hashes in the integrity attribute match the content of the subresource. The computed hash is “a0YhhoysWJpgP+EmOq0kL2cmLvlxvayszBpRXNBIhGY=”.

This was noticed on Firefox.
@castarco castarco added the triage Tracking: Needs Triage label Nov 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage Tracking: Needs Triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@castarco @smithcoin