Welcome! Log In Create A New Profile

Advanced

Help with Content-Security-Policy

Posted by ukro 
Help with Content-Security-Policy
November 06, 2021 03:45PM
Greetings,
i am soo lost, googled few hours and still cant figure it out.
How can i fix thoose errors?

Config:
add_header Content-Security-Policy "default-src 'self'; connect-src 'self' 'lh3.googleusercontent.com';font-src *;img-src * data:; script-src 'self' 'unsafe-hashes' 'sha256-cn1VgLyVU63Lcmp2AQimPh/TdYjy04Flxs=' 'sha256-xNWg88Qd8aVXjg2sxYMY4nEI48hML0aew/6ntqaG2GM='; style-src 'unsafe-inline' 'self'";

What i want:
I want to have everything local and with sha check of all scripts. I am sure the config is wrong.
Should i allow remote script execution? is it safe? or it doesnt matter?
Cant somebody point me to good docs for beginers?
Its pwa serviceworker

Errors:
The source list for the Content Security Policy directive 'connect-src' contains an invalid source: ''lh3.googleusercontent.com''. It will be ignored.
serviceworker.js:38 Refused to connect to 'https://lh3.googleusercontent.com/a/AATXAJzC6UKJwRqzNOyBvnygJBM7fOfY1T8Uvhz2gHIO=s96-c' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

(anonymous) @ serviceworker.js:38
Promise.then (async)
(anonymous) @ serviceworker.js:37
serviceworker.js:38 Refused to connect to 'https://lh3.googleusercontent.com/a/AATXAJzC6UKJwRqzNOyBvnygJBM7fOfY1T8Uvhz2gHIO=s96-c' because it violates the document's Content Security Policy.
(anonymous) @ serviceworker.js:38
Promise.then (async)
(anonymous) @ serviceworker.js:37
serviceworker.js:38 Refused to connect to 'https://fonts.gstatic.com/s/sourcesanspro/v14/6xK3dSBYKcSV-LCoeQqfX1RYOo3qOK7l.woff2' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

(anonymous) @ serviceworker.js:38
Promise.then (async)
(anonymous) @ serviceworker.js:37
serviceworker.js:38 Refused to connect to 'https://fonts.gstatic.com/s/sourcesanspro/v14/6xK3dSBYKcSV-LCoeQqfX1RYOo3qOK7l.woff2' because it violates the document's Content Security Policy.
(anonymous) @ serviceworker.js:38
Promise.then (async)
(anonymous) @ serviceworker.js:37
serviceworker.js:38 Refused to connect to 'https://fonts.gstatic.com/s/sourcesanspro/v14/6xKydSBYKcSV-LCoeQqfX1RYOo3ig4vwlxdu.woff2' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

(anonymous) @ serviceworker.js:38
Promise.then (async)
(anonymous) @ serviceworker.js:37
serviceworker.js:38 Refused to connect to 'https://fonts.gstatic.com/s/sourcesanspro/v14/6xKydSBYKcSV-LCoeQqfX1RYOo3ig4vwlxdu.woff2' because it violates the document's Content Security Policy.
(anonymous) @ serviceworker.js:38
Promise.then (async)
(anonymous) @ serviceworker.js:37
serviceworker.js:38 Refused to connect to 'https://fonts.gstatic.com/s/sourcesanspro/v14/6xKydSBYKcSV-LCoeQqfX1RYOo3ik4zwlxdu.woff2' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

(anonymous) @ serviceworker.js:38
Promise.then (async)
(anonymous) @ serviceworker.js:37
serviceworker.js:38 Refused to connect to 'https://fonts.gstatic.com/s/sourcesanspro/v14/6xKydSBYKcSV-LCoeQqfX1RYOo3ik4zwlxdu.woff2' because it violates the document's Content Security Policy.



Edited 1 time(s). Last edit at 11/06/2021 03:45PM by ukro.
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 48
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready