Adobe Experience Manager Sites & More

mahesh_tesla · 12/6/23

Snippet of our CSP configuration

<IfModule mod_headers.c>
    Header add X-Vhost "lorem"
    Header set Content-Security-Policy 
        "default-src 'self'; 
        form-action 'none'; 
        script-src 'self' 'unsafe-eval' 'unsafe-hashes' https://cdn-apac.onetrust.com https://www.google.com https://assets.adobedtm.com https://www.googletagmanager.com https://www.gstatic.com https://www.youtube.com 'nonce-394726394026385629'; 
</IfModule>

We have added nonce to all <Script> tags. However, We are getting below console errors(I have added screenshots as well)

[Report Only] Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'unsafe-hashes' 'unsafe-inline' 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
[Report Only] Refused to connect to '<URL>' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-eval' 'unsafe-hashes' 'unsafe-inline' data: blob: *.gstatic.com". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
The Content-Security-Policy directive 'form-action' contains the keyword 'none' alongside with other source expressions. The keyword 'none' must be the only source expression in the directive value, otherwise it is ignored.
erforme-Rosse-The-his-is-Birthe-Doct-The-vs-must:1 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'unsafe-hashes' https://cdn-apac.onetrust.com https://www.google.com https://assets.adobedtm.com https://www.googletagmanager.com https://www.gstatic.com https://www.youtube.com 'nonce-394726394026385629'". Either the 'unsafe-inline' keyword, a hash ('sha256-d+XiDBXqrAQI7R8KVX9uRAtkHJWNmURyG9QF6TM0bz8='), or a nonce ('nonce-...') is required to enable inline execution.
erforme-Rosse-The-his-is-Birthe-Doct-The-vs-must:1 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'unsafe-hashes' https://cdn-apac.onetrust.com https://www.google.com https://assets.adobedtm.com https://www.googletagmanager.com https://www.gstatic.com https://www.youtube.com 'nonce-3947263940126385629'". Either the 'unsafe-inline' keyword, a hash ('sha256-d+XiDBXqrAQI7R8KVX9uRAtkHJWNmURyG9QF6TM0bz8='), or a nonce ('nonce-...') is required to enable inline execution.
Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'unsafe-hashes' https://cdn-apac.onetrust.com https://www.google.com https://assets.adobedtm.com https://www.googletagmanager.com https://www.gstatic.com https://www.youtube.com 'nonce-3947263940126385629'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
csrf.lc-a9dcac4698709ca8e1cbc88363cf0793-lc.js:300 [Report Only] Refused to frame 'https://www.google.com/' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: *.gstatic.com". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
[Report Only] Refused to frame 'https://www.google.com/' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: *.gstatic.com". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
[Report Only] Refused to frame 'https://www.google.com/' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: *.gstatic.com". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
[Report Only] Refused to frame 'https://www.google.com/' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: *.gstatic.com". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.

Kindly please help me to clear console errors. Thanks

EstebanBustamante · 12/7/23

Hi

Each message provides you with the information needed to address every issue raised by your Content Security Policy (CSP). The reality is that this is a tune-up process, as it can be challenging to get the CSP working perfectly all at once— at least, that's my perspective. My recommendation is to use a Chrome extension to directly inject the CSP header into your browser (https://chromewebstore.google.com/detail/empty-title/idgpnmonknjnojddfkpgkljpfnnfcklj). This way, you can fine-tune it more quickly and safely, leading to a fully functional CSP.

From what I can see, your CSP should already address some of those issues. However, it appears that you are missing a closing quote and a semicolon, suggesting that your CSP may not be working as expected. Please validate it once with the tool I mentioned above:

<IfModule mod_headers.c>
    Header add X-Vhost "lorem"
    Header set Content-Security-Policy 
        "default-src 'self'; 
        form-action 'none'; 
        script-src 'self' 'unsafe-eval' 'unsafe-hashes' https://cdn-apac.onetrust.com https://www.google.com https://assets.adobedtm.com https://www.googletagmanager.com https://www.gstatic.com https://www.youtube.com 'nonce-394726394026385629';"
</IfModule>

Hope this helps.