Jump to content

Content Security Policy (CSP) Missing.

Recommended Posts

Hi - our financial client got a security red flag on their Squarespace website:

"Content Security Policy (CSP) Missing. A Content Security Policy (CSP) directive tells a web browser what locations it can load resources from when rendering a webpage. This helps prevent mistaken or malicious resources from being injected into a webpage (and then executed by a user’s browser)."

Squarespace gave me this message but I'm not sure what to do. Does anyone know about this?

"This can be handled by adding meta tags. At this time, no headers are forthcoming at this stage." They referred me to this page but I'm not sure what to do. Any help would be appreciated. Thanks in advance.

https://content-security-policy.com/examples/meta/

Link to comment
22 hours ago, mdemartin said:

Hi - our financial client got a security red flag on their Squarespace website:

"Content Security Policy (CSP) Missing. A Content Security Policy (CSP) directive tells a web browser what locations it can load resources from when rendering a webpage. This helps prevent mistaken or malicious resources from being injected into a webpage (and then executed by a user’s browser)."

Squarespace gave me this message but I'm not sure what to do. Does anyone know about this?

"This can be handled by adding meta tags. At this time, no headers are forthcoming at this stage." They referred me to this page but I'm not sure what to do. Any help would be appreciated. Thanks in advance.

https://content-security-policy.com/examples/meta/

Agreed, having the same issue. Adding the CSP into header code injection as a <meta> tag via:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'">

This makes the website builder area function crash and the website unusable, removing any visual information except for text and removes any functionality in terms of layout.

I was made aware of this via Pagespeed Insights (https://pagespeed.web.dev/).

Considering we would like our websites to be as safe as possible, this is a security concern.

What solution is available to us?

Link to comment
  • 1 month later...

I've had a client's insurers flag up the lack of a CSP. 

The single domain fix used by @Cinthetic and @mdemartin breaks the editor because the CSP needs to include all domains that provide scripts, media, etc.  Effectively, the CSP meta tag is blocking loading of the editing interface. 

 

I've experimented with a multidomain CSP meta tag

<meta http-equiv="Content-Security-Policy" content="default-src 'self' *.squarespace.com *.squarespace-cdn.com *.squarewebsites.com www.google-analytics.com ajax.googleapis.com www.gstatic.com www.googletagmanager.com static1.squarespace.com">

However, it still breaks sites because inline styles and scripts are blocked by the Content Security Policy and I can't see a way of signalling them as being trusted. 

 

I'm Colin Irwin aka silvabokis.  I've been a Squarespace designer & developer since 2013. 
I remember when it was all wild prairies round these here parts. 🐃🤠
Advice I give on here is free, though I may sometimes post an affiliate link or promote something I've written.
That reminds me.. ..you might want to check out my
Squarespace template finder or have a look at my other Squarespace tips
Speaking of tips, 💲I've got a tip jar that you're welcome to throw a few quid into if you think I've helped you. 
If you're looking for a Squarespace developer 
Book a chat or Drop me a line - first meeting is always free  

 

Link to comment
  • 3 weeks later...

@TheSavvyChameleon @colin.irwin Here are some defaults that can be used and should fix the issue with inline CSS and JS as well by leveraging the 'unsafe-inline' and 'unsafe-eval' CSP directives. Also added blob: and data: directives to handle media related to blobs and data attributes.

<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *.squarespace.com *.squarespace-cdn.com *.squarewebsites.com *.google.com *.google-analytics.com *.googleapis.com *.gstatic.com *.googletagmanager.com *.doubleclick.net *.typekit.net *.youtube.com *.jquery.com https://youtu.be">

 

Tips On Figuring out which websites to allow with Content Security Policy:

If you're setting up Content Security Policy (CSP) for your website but are unsure which websites to allow access to, here's a tip:

  • Open Google Chrome's developer tools: Click the three dots in the top right corner of your Chrome window, then select "More tools" and then "Developer tools".
  • Find the Console: Look for the tab labeled "Console" within the developer tools window.
  • Add the CSP metatag to your website: This tells your browser which websites are allowed to send resources like images, fonts, and scripts to your page.
  • Reload your website: This triggers the CSP checks.
  • Watch for console errors: Any blocked resources will show up in the console as errors. Look for the website address (URL) mentioned in the error. See screenshot below
  • Whitelist the necessary websites: Based on the console errors (screenshot below for example), add the relevant URLs to your CSP metatag using wildcards if needed (e.g., *.typekit.com instead of https://use.typekit.com). This allows resources from those websites to load on your page.

Remember: Adding too many websites to your CSP can compromise security, so only allow the ones your website truly needs.

image.thumb.png.d88e1a4bd7ee63dbd1c77b0696f43d7b.png

Full stack developer who loves helping people out with anything web related. If you'd like to support me, buy me a coffee!

Link to comment

I'm Colin Irwin aka silvabokis.  I've been a Squarespace designer & developer since 2013. 
I remember when it was all wild prairies round these here parts. 🐃🤠
Advice I give on here is free, though I may sometimes post an affiliate link or promote something I've written.
That reminds me.. ..you might want to check out my
Squarespace template finder or have a look at my other Squarespace tips
Speaking of tips, 💲I've got a tip jar that you're welcome to throw a few quid into if you think I've helped you. 
If you're looking for a Squarespace developer 
Book a chat or Drop me a line - first meeting is always free  

 

Link to comment
  • 2 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

×
×
  • Create New...

Squarespace Webinars

Free online sessions where you’ll learn the basics and refine your Squarespace skills.

Hire a Designer

Stand out online with the help of an experienced designer or developer.