Muut
November 17, 2015, 12:28am
1
Hi everyone !
I’m trying to add a CSP to the server that runs my Grav website.
So I added this into the .htaccess :
Headers set Content-Security-Policy "default-src 'self' https://fonts.googleapis.com/*"
Of course, I got an internal server error (500).
Do you have any documentation on which domains to allow ?
Thanks a lot !
ps: I am quite new to the back-end development.
pps: You’re doing an amazing job <3
Nico.
Muut
November 17, 2015, 1:15am
2
Not sure about that but this is what I have in the getgrav.org
.htaccess
file:
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
<FilesMatch "\.(gif|png|jpe?g|svg|svgz|ico|webp)$">
SetEnvIf Origin ":" IS_CORS
Header set Access-Control-Allow-Origin "*" env=IS_CORS
</FilesMatch>
</IfModule>
</IfModule>
<IfModule mod_headers.c>
<FilesMatch "\.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js)$">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
</IfModule>
I think i got this from MaxCDN’s technical support.
Muut
November 18, 2015, 8:31am
4
Alright thanks ! I’ll dig into it and keep you posted
Muut
December 12, 2016, 8:48am
5
Hi,
What I have in my virtualhost (nginx) :
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' www.gravatar.com data: ; style-src 'self' 'unsafe-inline'; font-src 'self' fonts.googleapis.com; child-src 'none'; object-src 'self' ; connect-src 'self' getgrav.org";
Have a look at https://content-security-policy.com/ ; there is a sample at the bottom of the page for Apache ; in your case, it should be (not tested) :
Header set Content-Security-Policy "default-src 'self' fonts.googleapis.com;"
Hope it helps !