Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

Content Security Policy help

More
4 years 1 month ago #218299 by jlhollowell
Denis,

Thanks for the reply. No, unfortunately, I didn't/don't see the line you are referring to...I see the following:

Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"

Which Nginx does not like and I see a subsequent message that you posted "Seems we need the 'unsafe-eval' … for public part" but the line you provided here " "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';" I don't find. Maybe it was deleted...? Or possibly I was supposed to parse it from the longer line I pasted above. Sorry, I'm relatively new to Nginx as well as to Content Security Policy headers...I'll get there but will probably irritate a few people along the way...not by intention of course. ;-)

At any rate, I will give it a try and hope for the best.

Regards
The topic has been locked.
More
4 years 1 month ago #218302 by NPEUWebmaster
Hi,

CSP I came up with was for Apache - I'm not familiar with Nginx either I'm afraid.

The CSP info mostly came from  h5bp / server-configs-apache
There's an Nginx equivalent but the CSP info seems lacking. Not sure if it's helpful.

Also see the section I added to the wiki

Thanks,
Andy
The following user(s) said Thank You: DenisChenu, jlhollowell
The topic has been locked.
More
4 years 1 month ago #218305 by DenisChenu

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member. - Professional support - Plugins, theme and development .
I don't answer to private message.
The following user(s) said Thank You: jlhollowell
The topic has been locked.
Moderators: holchtpartner

Lime-years ahead

Online-surveys for every purse and purpose