rajdis Posted July 29, 2018 Share Posted July 29, 2018 (edited) After using Content-Security-Policy(CSP) the javascriptsfrom other sources are not working properly. What can I do? Part of my .htaccess is: Header set Strict-Transport-Security "max-age=631138519; includeSubDomains"Header unset Content-Security-PolicyHeader set Content-Security-Policy "script-src 'self' 'https://apis.google.com' 'https://www.googletagmanager.com/' 'https://ajax.googleapis.com' 'https://maxcdn.bootstrapcdn.com' 'https://cse.google.com/'"Header unset X-Content-Security-PolicyHeader set X-Content-Security-Policy "default-src 'self' 'https://apis.google.com' 'https://www.googletagmanager.com/' 'https://ajax.googleapis.com 'https://maxcdn.bootstrapcdn.com' 'https://cse.google.com/'"Header unset X-WebKit-CSPHeader set X-WebKit-CSP "default-src 'self' 'https://apis.google.com' 'https://www.googletagmanager.com/' 'https://ajax.googleapis.com' 'https://maxcdn.bootstrapcdn.com' 'https://cse.google.com/'"Header unset Referrer-PolicyHeader set Referrer-Policy: strict-origin-when-cross-origin Edit: The CSS are working Edited July 29, 2018 by rajdis Quote Link to comment Share on other sites More sharing options...
rajdis Posted July 31, 2018 Author Share Posted July 31, 2018 Anyone here? ;_; Quote Link to comment Share on other sites More sharing options...
wolstech Posted July 31, 2018 Share Posted July 31, 2018 We haven't been paying much attention up here the past few days due to the hack...sorry about that. Try removing the single quotes around the URLs. Also, try removing all of the URLs except one, and see if the matching script loads (with all others being expected to fail). If so, add a second URL, and repeat. Also, your site does use inline scripting which is blocked when using CSP, so your site is going to break to an extent even when it works correctly. 1 Quote Link to comment Share on other sites More sharing options...
rajdis Posted August 1, 2018 Author Share Posted August 1, 2018 I am getting this following error: 17:00:54.506 Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://distribure.cf https://apis.google.com https://www.googletagmanager.com https://ajax.googleapis.com https://maxcdn.bootstrapcdn.com https://cse.google.com”). Source: window.dataLayer = window.dataLayer |.... 1 web_design.php:117 The updated .htaccess is: Header set Content-Security-Policy "script-src 'self' https://apis.google.com https://www.googletagmanager.com https://ajax.googleapis.com https://maxcdn.bootstrapcdn.com https://cse.google.com ;" Quote Link to comment Share on other sites More sharing options...
wolstech Posted August 1, 2018 Share Posted August 1, 2018 I did some digging last night and you're not the first to have this issue here...someone else ran into this a while back too. No fix was ever found. Reports on Google show success sending these using PHP's header() function, perhaps that's an option? Make a file with the code and require() in all relevant pages. Quote Link to comment Share on other sites More sharing options...
rajdis Posted August 2, 2018 Author Share Posted August 2, 2018 Okay.I will try that. The CSP is currently removed as I was too much problem in adding JSPs. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.