Setting contentSecurityPolicy but img-src being ignored
up vote
0
down vote
favorite
Initial Problem:
Chrome "refused to load the image 'data:image/svg+xml:.........'
It is referring to the arrows image that datatables uses for the sorting control. The solution appears to be to loosen up CSP a little.
Attempted fix:
(in application.conf)
contentSecurityPolicy = "img-src 'self' data:; script-src 'self' 'unsafe-eval' 'unsafe-inline' jquery-3.1.1.min.js *.facebook.net;"
Result:
Chrome still refuses to load the image and it still says "Note that img-src was not explicitly set, so 'default-src' is used as a fallback.
Question:
In Play Framework, how does one specify multiple directives in contentSecurityProvider such that the browser will respect my img-src. Even if I do not have the security level set to the proper level, I would expect the browser to acknowledge that I have set img-src.
Infos:
Play Framework 2.6 (Java)
DataTables 1.10.19
JQuery 3.3.1
Thank you for any advice.
Your pal,
latj
playframework datatables content-security-policy playframework-2.6
asked Nov 8 at 22:18
latj
3221420
add a comment |
up vote
0
down vote
favorite
Initial Problem:
Chrome "refused to load the image 'data:image/svg+xml:.........'
It is referring to the arrows image that datatables uses for the sorting control. The solution appears to be to loosen up CSP a little.
Attempted fix:
(in application.conf)
contentSecurityPolicy = "img-src 'self' data:; script-src 'self' 'unsafe-eval' 'unsafe-inline' jquery-3.1.1.min.js *.facebook.net;"
Result:
Chrome still refuses to load the image and it still says "Note that img-src was not explicitly set, so 'default-src' is used as a fallback.
Question:
In Play Framework, how does one specify multiple directives in contentSecurityProvider such that the browser will respect my img-src. Even if I do not have the security level set to the proper level, I would expect the browser to acknowledge that I have set img-src.
Infos:
Play Framework 2.6 (Java)
DataTables 1.10.19
JQuery 3.3.1
Thank you for any advice.
Your pal,
latj
playframework datatables content-security-policy playframework-2.6
asked Nov 8 at 22:18
latj
3221420
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
Initial Problem:
Chrome "refused to load the image 'data:image/svg+xml:.........'
It is referring to the arrows image that datatables uses for the sorting control. The solution appears to be to loosen up CSP a little.
Attempted fix:
(in application.conf)
contentSecurityPolicy = "img-src 'self' data:; script-src 'self' 'unsafe-eval' 'unsafe-inline' jquery-3.1.1.min.js *.facebook.net;"
Result:
Chrome still refuses to load the image and it still says "Note that img-src was not explicitly set, so 'default-src' is used as a fallback.
Question:
In Play Framework, how does one specify multiple directives in contentSecurityProvider such that the browser will respect my img-src. Even if I do not have the security level set to the proper level, I would expect the browser to acknowledge that I have set img-src.
Infos:
Play Framework 2.6 (Java)
DataTables 1.10.19
JQuery 3.3.1
Thank you for any advice.
Your pal,
latj
playframework datatables content-security-policy playframework-2.6
asked Nov 8 at 22:18
latj
3221420
Initial Problem:
Chrome "refused to load the image 'data:image/svg+xml:.........'
It is referring to the arrows image that datatables uses for the sorting control. The solution appears to be to loosen up CSP a little.
Attempted fix:
(in application.conf)
contentSecurityPolicy = "img-src 'self' data:; script-src 'self' 'unsafe-eval' 'unsafe-inline' jquery-3.1.1.min.js *.facebook.net;"
Result:
Chrome still refuses to load the image and it still says "Note that img-src was not explicitly set, so 'default-src' is used as a fallback.
Question:
In Play Framework, how does one specify multiple directives in contentSecurityProvider such that the browser will respect my img-src. Even if I do not have the security level set to the proper level, I would expect the browser to acknowledge that I have set img-src.
Infos:
Play Framework 2.6 (Java)
DataTables 1.10.19
JQuery 3.3.1
Thank you for any advice.
Your pal,
latj
playframework datatables content-security-policy playframework-2.6
playframework datatables content-security-policy playframework-2.6
asked Nov 8 at 22:18
latj
3221420
asked Nov 8 at 22:18
latj
3221420
asked Nov 8 at 22:18
latj
3221420
asked Nov 8 at 22:18
latj
3221420
asked Nov 8 at 22:18
latj
3221420
3221420
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
You should use img-src 'self' data: *; exact or even something like img-src 'self' data: *.example.com;.
So in your case it would look like this:
"img-src 'self' data: *; script-src 'self' 'unsafe-eval' 'unsafe-inline' jquery-3.1.1.min.js *.facebook.net;"
If that won't help, please show your Google Chrome console log then.
answered Nov 27 at 5:53
Aunmag
4615
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
You should use img-src 'self' data: *; exact or even something like img-src 'self' data: *.example.com;.
So in your case it would look like this:
"img-src 'self' data: *; script-src 'self' 'unsafe-eval' 'unsafe-inline' jquery-3.1.1.min.js *.facebook.net;"
If that won't help, please show your Google Chrome console log then.
answered Nov 27 at 5:53
Aunmag
4615
add a comment |
up vote
0
down vote
You should use img-src 'self' data: *; exact or even something like img-src 'self' data: *.example.com;.
So in your case it would look like this:
"img-src 'self' data: *; script-src 'self' 'unsafe-eval' 'unsafe-inline' jquery-3.1.1.min.js *.facebook.net;"
If that won't help, please show your Google Chrome console log then.
answered Nov 27 at 5:53
Aunmag
4615
add a comment |
up vote
0
down vote
up vote
0
down vote
You should use img-src 'self' data: *; exact or even something like img-src 'self' data: *.example.com;.
So in your case it would look like this:
"img-src 'self' data: *; script-src 'self' 'unsafe-eval' 'unsafe-inline' jquery-3.1.1.min.js *.facebook.net;"
If that won't help, please show your Google Chrome console log then.
answered Nov 27 at 5:53
Aunmag
4615
You should use img-src 'self' data: *; exact or even something like img-src 'self' data: *.example.com;.
So in your case it would look like this:
"img-src 'self' data: *; script-src 'self' 'unsafe-eval' 'unsafe-inline' jquery-3.1.1.min.js *.facebook.net;"
If that won't help, please show your Google Chrome console log then.
answered Nov 27 at 5:53
Aunmag
4615
answered Nov 27 at 5:53
Aunmag
4615
answered Nov 27 at 5:53
Aunmag
4615
answered Nov 27 at 5:53
Aunmag
4615
4615
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53217008%2fsetting-contentsecuritypolicy-but-img-src-being-ignored%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
