How to check what is blocked through Content-Security-Policy?
I tried to set the following Content-Security-Policy header for my website:
header('Content-Security-Policy: "default-src \'none\'; script-src \'self\'; connect-src \'self\'; img-src * data:; style-src \'self\';"');
But the result was in some parts strange. For example this <table>:
became this:
As styles work I tried to find out through Google Chrome Developer Tools which content was blocked, but I had no success to find error messages or similar.
How can I find out what caused this style change?
Partial code of this table:
<table id=threads cellspacing=1>
<col />
<col style="width:66%" />
<col style="width:8%" />
<col style="width:26%" />
<tr>
<th colspan=2>Ähnliche Beiträge</th>
<th>Re:<br />√</th>
<th>Letzter Beitrag</th>
</tr>
<tr onmouseover="this.className='even'" onmouseout="this.className=''">
...
If you want to allow inline styles, the only way is with style-src 'self' 'unsafe-inline'.
But if you use 'unsafe-inline', you may as well not use CSP at all; it’s an unsafe policy.
Inline styles are only allowed if the CSP header explicitly includes 'unsafe-inline' for them.
Your CSP header lacks 'unsafe-inline', so all your style="width:66%", etc., are not applied.
As far as getting more detailed info back to pinpoint exactly what styles have been blocked, there’s not a way. Even if you use the report-ui directive, you’ll only get back the same level of detail you get back from your browser — that is, just a report saying you have a document that’s using inline styles, with only the same level of detail as this browser message:
Refused to apply inline style because it violates the following Content Security Policy directive: "default-style 'self'"
- My custom CSS transition animation is not working on hover after I added AOS JS library
- How to set data attributes in HTML elements
- How to get "Results per Row" (from a 'clicked entry' off a "dropdown menu") to show up correctly?
- How to reduce the size of an ASCII text art picture
- How to trigger SVG render same as manual DOM edit in Chrome using JS?
- Set element width based on a string that is not in the element
- Where are the trailing commas coming from in these radio buttons?
- 100vh height when address bar is shown - Chrome Mobile
- Capture selected option returns not defined instead
- Adjust navbar minimum height depending on screen width
- How to remove extra width from my website?
- Why doesn't backgroundColor=rgb(a,b,c) work?
- How to put json variable directly into DIV Class
- On hover the div inside button reduces height to give animation and little dark bottom. But text also moving up how to fix not move text
- WOW jquery slider
- Reduce the frequency of geolocation watchPosition calls
- Why should HTML elements (input, textarea, and select) have associated labels?
- Why ngModel doesn't works on the last version of Angular 17?
- How to make an element's background-color a little darker using CSS
- How do I clear the content of a div using JavaScript?
- How do I display images from Google Drive on a website?
- Tailwind h-screen doesn’t work properly on mobile devices
- Edit icon in mobile view missing
- Sticky header input scrolls on input
- Image not loading on local site I made
- React error in index.js, "Uncaught ReferenceError: dom is not defined"
- Make the mix-blend-mode on a sticky navbar ignore certain elements while scrolling down
- How to prevent bleach from escaping > (blockquote) tag used in Markdown
- Why is the input bar spilling slightly on the right side of the container?
- Method to show native datepicker in Chrome