Hello, I wanted to add CSP rules on my project that was created by phoenix and run on Nginx to prevent XSS attack, but I have problems and I can’t solve this.
Errors:
[Report Only] Refused to load the script 'https://www.googletagmanager.com/gtag/js?id=UA-105589342-1' because it violates the following Content Security Policy directive: "script-src 'report-sample' 'unsafe-inline' 'nonce-DONT+TOUCH+TOOL+WILL+AUTOFILL+BASED+ON+SERVED+NONCE'".
17:16:10.532 login:1 [Report Only] Refused to load the script 'https://www.googletagmanager.com/gtag/js?id=UA-105589342-1' because it violates the following Content Security Policy directive: "script-src 'strict-dynamic' 'report-sample' 'unsafe-inline' 'unsafe-eval' 'nonce-DONT+TOUCH+TOOL+WILL+AUTOFILL+BASED+ON+SERVED+NONCE'". 'strict-dynamic' is present, so host-based whitelisting is disabled.
17:16:10.534 login:1 [Report Only] Refused to load the script 'https://www.googletagmanager.com/gtag/js?id=UA-105589342-1' because it violates the following Content Security Policy directive: "default-src * 'unsafe-inline' 'strict-dynamic' data: filesystem: blob: ws: wss: ". 'strict-dynamic' is present, so host-based whitelisting is disabled. Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
17:16:10.536 login:6 [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'report-sample' 'unsafe-inline' 'nonce-DONT+TOUCH+TOOL+WILL+AUTOFILL+BASED+ON+SERVED+NONCE'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.
17:16:10.538 login:6 [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'strict-dynamic' 'report-sample' 'unsafe-inline' 'unsafe-eval' 'nonce-DONT+TOUCH+TOOL+WILL+AUTOFILL+BASED+ON+SERVED+NONCE'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.
17:16:10.542 login:17 [Report Only] Refused to load the image 'https://example.com/images/smal-example-logo.png' because it violates the following Content Security Policy directive: "default-src * 'unsafe-inline' 'strict-dynamic' data: filesystem: blob: ws: wss: ". 'strict-dynamic' is present, so host-based whitelisting is disabled. Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
17:16:10.546 login:30 [Report Only] Refused to load the stylesheet 'https://example.com/css/app-3499f2a6f0ad5cf05889004b72983568.css?vsn=d' because it violates the following Content Security Policy directive: "default-src * 'unsafe-inline' 'strict-dynamic' data: filesystem: blob: ws: wss: ". 'strict-dynamic' is present, so host-based whitelisting is disabled. Note that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
17:16:10.705 login:94 [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'report-sample' 'unsafe-inline' 'nonce-DONT+TOUCH+TOOL+WILL+AUTOFILL+BASED+ON+SERVED+NONCE'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.
17:16:10.707 login:94 [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'strict-dynamic' 'report-sample' 'unsafe-inline' 'unsafe-eval' 'nonce-DONT+TOUCH+TOOL+WILL+AUTOFILL+BASED+ON+SERVED+NONCE'". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.
17:16:10.711 login:114 [Report Only] Refused to load the image 'https://example.com/images/smal-example-logo-354df0f2f90aa2b0d28da7916c607781.png?vsn=d' because it violates the following Content Security Policy directive: "img-src 'unsafe-inline' https://ssl.gstatic.com/ https://example.com/images/smal-example-logo.png https://stats.g.doubleclick.net https://www.google-analytics.com/ ".
17:16:10.712 login:114 [Report Only] Refused to load the image 'https://example.com/images/smal-example-logo-354df0f2f90aa2b0d28da7916c607781.png?vsn=d' because it violates the following Content Security Policy directive: "default-src * 'unsafe-inline' 'strict-dynamic' data: filesystem: blob: ws: wss: ". 'strict-dynamic' is present, so host-based whitelisting is disabled. Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
17:16:10.781 login:1 [Report Only] Refused to load the font 'https://example.com/fonts/fontawesome-webfont.woff2?v=4.7.0' because it violates the following Content Security Policy directive: "default-src * 'unsafe-inline' 'strict-dynamic' data: filesystem: blob: ws: wss: ". 'strict-dynamic' is present, so host-based whitelisting is disabled. Note that 'font-src' was not explicitly set, so 'default-src' is used as a fallback.
17:16:10.786 login:1 [Report Only] Refused to load the font 'https://example.com/fonts/fontawesome-webfont.woff?v=4.7.0' because it violates the following Content Security Policy directive: "default-src * 'unsafe-inline' 'strict-dynamic' data: filesystem: blob: ws: wss: ". 'strict-dynamic' is present, so host-based whitelisting is disabled. Note that 'font-src' was not explicitly set, so 'default-src' is used as a fallback.
The most problems of Those Errors are for the sake of Google recapcha and google analytics that I used CSP Mitigator plugin on my chrome and fix some problems and edited my CSP rules .
Please see this error:
'strict-dynamic' is present, so host-based whitelisting is disabled
This error has repeatedly been repeated, But never have I used this in my header.
I have read this article
with this article I have solved some problem, but I have many errors yet.
for example there are some picture in my images folder:
https://example.com/images/pic1.png
https://example.com/images/pic2.png
https://example.com/images/pic3.png
and I test this ways
img-src
'self'
https://example.com/images/pic1.png
https://example.com/images
https://example.com/images/
https://example.com/images/*;
or
img-src * 'self' data: https:;
or
img-src 'self' data: filesystem: blob: ws: wss: https:;
but there is this error
[Report Only] Refused to load the image 'https://example.com/images/smal-example-logo-354df0f2f90aa2b0s28da7416c107761.png?vsn=d' because it violates the following Content Security Policy directive: "default-src * 'unsafe-inline' 'strict-dynamic' data: filesystem: blob: ws: wss: ". 'strict-dynamic' is present, so host-based whitelisting is disabled. Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.
my CSP config:
base-uri
'self';
default-src
'self'
'unsafe-inline'
https://www.google-analytics.com ;
script-src
'unsafe-inline'
https://www.googletagmanager.com
https://www.google-analytics.com/
https://www.google.com/recaptcha/
https://www.gstatic.com/recaptcha/;
style-src
'self'
'unsafe-inline'
'sha256-JplxS3ZsBrP3aZQRQfTgHGXQ3qI60A+11PWJSWLulVA='
https://www.googletagmanager.com
https://fonts.googleapis.com/
https://www.google.com/recaptcha/;
img-src 'unsafe-inline'
https://ssl.gstatic.com/
https://example.com/images/smal-example-logo.png
https://stats.g.doubleclick.net
https://www.google-analytics.com/ ;
frame-src
https://www.gstatic.com/
https://www.google.com/
https://www.googletagmanager.com/ns.html;
font-src
'self'
https://example.com/fonts/
https://fonts.gstatic.com;
connect-src
www.google-analytics.com
https://www.google-analytics.com
https://stats.g.doubleclick.net ;
object-src
'none';
report-uri
https://my_code.report-uri.com/r/d/csp/reportOnly
;
https://csp-evaluator.withgoogle.com
Thanks
