mdemartin Posted November 6 Share Posted November 6 Hi - our financial client got a security red flag on their Squarespace website: "Content Security Policy (CSP) Missing. A Content Security Policy (CSP) directive tells a web browser what locations it can load resources from when rendering a webpage. This helps prevent mistaken or malicious resources from being injected into a webpage (and then executed by a user’s browser)." Squarespace gave me this message but I'm not sure what to do. Does anyone know about this? "This can be handled by adding meta tags. At this time, no headers are forthcoming at this stage." They referred me to this page but I'm not sure what to do. Any help would be appreciated. Thanks in advance. https://content-security-policy.com/examples/meta/ Link to comment
Cinthetic Posted November 7 Share Posted November 7 22 hours ago, mdemartin said: Hi - our financial client got a security red flag on their Squarespace website: "Content Security Policy (CSP) Missing. A Content Security Policy (CSP) directive tells a web browser what locations it can load resources from when rendering a webpage. This helps prevent mistaken or malicious resources from being injected into a webpage (and then executed by a user’s browser)." Squarespace gave me this message but I'm not sure what to do. Does anyone know about this? "This can be handled by adding meta tags. At this time, no headers are forthcoming at this stage." They referred me to this page but I'm not sure what to do. Any help would be appreciated. Thanks in advance. https://content-security-policy.com/examples/meta/ Agreed, having the same issue. Adding the CSP into header code injection as a <meta> tag via: <meta http-equiv="Content-Security-Policy" content="default-src 'self'"> This makes the website builder area function crash and the website unusable, removing any visual information except for text and removes any functionality in terms of layout. I was made aware of this via Pagespeed Insights (https://pagespeed.web.dev/). Considering we would like our websites to be as safe as possible, this is a security concern. What solution is available to us? Link to comment
mdemartin Posted November 7 Author Share Posted November 7 I just sent another note to SQSP about this along with screenshot of code in Code Injection/Header. Our client is a bank and their regulator said this has to be fixed. SQSP is leaving us in a tough position - surely they must know about this. Cinthetic 1 Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment