Search code examples
.htaccesspagespeedcontent-security-policy

script-src missing according to Google Page Speed although it's in the .htaccess

I'm trying to resolve these warnings

script-src directive is missing. This can allow the execution of unsafe scripts. and Missing object-src allows the injection of plugins that execute unsafe scripts. Consider setting object-src to 'none' if you can.

in the "Trust and Safety Section" of the Google Page Speed report. I've used multiple browsers including the current Edge, Chrome, Firefox (also Developer Edition), Chrome. What's interesting, though not the main question: why do I get different results in Google Page Speed using different Brorwsers? Concrete example: Running Page Speed in Opera throws the following errors in "Best Practices"

"Deprecated APIs will eventually be removed from the browser. Learn more about deprecated APIs." and "The unload event does not fire reliably and listening for it can prevent browser optimizations like the Back-Forward Cache. Use pagehide or visibilitychange events instead. Learn more about unload event listeners"

and the score in that section drops to 74. Running the same website using Chrome, no such errors appear and the score in "Best Practices" is 100.

These are my current rules (inspired by CSP for AdSense

<IfModule mod_headers.c>
Header set Content-Security-Policy "upgrade-insecure-requests"
Header set Content-Security-Policy "object-src 'none';"
Header set Content-Security-Policy "block-all-mixed-content"
Header set Content-Security-Policy "frame-ancestors 'self';"
Header set Content-Security-Policy "img-src 'self' https://jigsaw.w3.org/css-validator/images/vcss https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.g.doubleclick.net https://*.google.com https://*.google.com pagead2.googlesyndication.com;"
Header set Content-Security-Policy "frame-src 'self' 'unsafe-inline' googleads.g.doubleclick.net tpc.googlesyndication.com;"
Header set Content-Security-Policy "script-src 'self' 'unsafe-inline' pagead2.googlesyndication.com partner.googleadservices.com tpc.googlesyndication.com www.googletagservices.com adservice.google.com adservice.google.ad adservice.google.ae adservice.google.com.af adservice.google.com.ag adservice.google.com.ai adservice.google.al adservice.google.am adservice.google.co.ao adservice.google.com.ar adservice.google.as adservice.google.at adservice.google.com.au adservice.google.az adservice.google.ba adservice.google.com.bd adservice.google.be adservice.google.bf adservice.google.bg adservice.google.com.bh adservice.google.bi adservice.google.bj adservice.google.com.bn adservice.google.com.bo adservice.google.com.br adservice.google.bs adservice.google.bt adservice.google.co.bw adservice.google.by adservice.google.com.bz adservice.google.ca adservice.google.cd adservice.google.cf adservice.google.cg adservice.google.ch adservice.google.ci adservice.google.co.ck adservice.google.cl adservice.google.cm adservice.google.cn adservice.google.com.co adservice.google.co.cr adservice.google.com.cu adservice.google.cv adservice.google.com.cy adservice.google.cz adservice.google.de adservice.google.dj adservice.google.dk adservice.google.dm adservice.google.com.do adservice.google.dz adservice.google.com.ec adservice.google.ee adservice.google.com.eg adservice.google.es adservice.google.com.et adservice.google.fi adservice.google.com.fj adservice.google.fm adservice.google.fr adservice.google.ga adservice.google.ge adservice.google.gg adservice.google.com.gh adservice.google.com.gi adservice.google.gl adservice.google.gm adservice.google.gr adservice.google.com.gt adservice.google.gy adservice.google.com.hk adservice.google.hn adservice.google.hr adservice.google.ht adservice.google.hu adservice.google.co.id adservice.google.ie adservice.google.co.il adservice.google.im adservice.google.co.in adservice.google.iq adservice.google.is adservice.google.it adservice.google.je adservice.google.com.jm adservice.google.jo adservice.google.co.jp adservice.google.co.ke adservice.google.com.kh adservice.google.ki adservice.google.kg adservice.google.co.kr adservice.google.com.kw adservice.google.kz adservice.google.la adservice.google.com.lb adservice.google.li adservice.google.lk adservice.google.co.ls adservice.google.lt adservice.google.lu adservice.google.lv adservice.google.com.ly adservice.google.co.ma adservice.google.md adservice.google.me adservice.google.mg adservice.google.mk adservice.google.ml adservice.google.com.mm adservice.google.mn adservice.google.ms adservice.google.com.mt adservice.google.mu adservice.google.mv adservice.google.mw adservice.google.com.mx adservice.google.com.my adservice.google.co.mz adservice.google.com.na adservice.google.com.ng adservice.google.com.ni adservice.google.ne adservice.google.nl adservice.google.no adservice.google.com.np adservice.google.nr adservice.google.nu adservice.google.co.nz adservice.google.com.om adservice.google.com.pa adservice.google.com.pe adservice.google.com.pg adservice.google.com.ph adservice.google.com.pk adservice.google.pl adservice.google.pn adservice.google.com.pr adservice.google.ps adservice.google.pt adservice.google.com.py adservice.google.com.qa adservice.google.ro adservice.google.ru adservice.google.rw adservice.google.com.sa adservice.google.com.sb adservice.google.sc adservice.google.se adservice.google.com.sg adservice.google.sh adservice.google.si adservice.google.sk adservice.google.com.sl adservice.google.sn adservice.google.so adservice.google.sm adservice.google.sr adservice.google.st adservice.google.com.sv adservice.google.td adservice.google.tg adservice.google.co.th adservice.google.com.tj adservice.google.tl adservice.google.tm adservice.google.tn adservice.google.to adservice.google.com.tr adservice.google.tt adservice.google.com.tw adservice.google.co.tz adservice.google.com.ua adservice.google.co.ug adservice.google.co.uk adservice.google.com.uy adservice.google.co.uz adservice.google.com.vc adservice.google.co.ve adservice.google.vg adservice.google.co.vi adservice.google.com.vn adservice.google.vu adservice.google.ws adservice.google.rs adservice.google.co.za adservice.google.co.zm adservice.google.co.zw adservice.google.cat;"
Header set Content-Security-Policy "connect-src https://pagead2.googlesyndication.com/getconfig/ 'self' https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.g.doubleclick.net https://*.google.com https://*.google.com;"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header set X-Xss-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set Permissions-Policy "geolocation=self"
Header always edit Set-Cookie ^(.*)$ "$1; HttpOnly; Secure; SameSite=None"
</IfModule>

The mod_headers section does work generally since when I set the script-src or img-src to 'none', the website stops working correctly, stops loading scripts and images and errors are shown in the Browser console.

How do I get Google Page Speed to recognice my script-src and object-src rules?

  • Tried running Google Page Speed using different browsers -> CSP warning unchanged
  • Tried Header set Content-Security-Policy "object-src 'none'" instead of Header set Content-Security-Policy "object-src 'none';" -> CSP warning unchanged
Solution

  • It seems like you are setting 8 different CSP headers, one for each directive. I would assume that the scanner detects CSPs that don't implement script-src, and even though the total effective policy restricts script-src, the scanner doesn't understand your setup. Try combining the directives

    Header set Content-Security-Policy "upgrade-insecure-requests; object-src 'none'; block-all-mixed-content; frame-ancestors 'self';...

    This will also make it possible to use fallbacks properly.