Configure CSP

johnberman · January 6, 2025, 11:41am

Hi

Using V2025.4

I have recently upgraded from V2023.x

I have a custom page which embeds content from a different site using an IFrame

This worked fine in V2023.x but since upgrading it no longer works it just says

“This content is blocked. Contact the site owner to fix the issue”

I assume its the Content Security Policy (CSP) blocking this - just have no idea where to start

Can CSP be disabled to test if that’s the issue

Kind Regards
John B

arbei · January 6, 2025, 12:13pm

For better security of your site, you better configure CSP instead of disabling it. You may turn it off by CSP though.

arataki · January 6, 2025, 6:43pm

Hey John,

As Arbei says, it is better to keep it in place. Especially if it is a public facing system. The script kiddies are only getting smarter.

In essence it’s a pretty simple setup.
The key is to put something like this

Config()->append(“CSP.img-src.allow”, “https://quickchart.io”);

in “Global Code”. (Don’t put any comments etc. They get interpreted as well while updating the config for CSP)

The command is the first parameter and in particular the middle part of the parameter, in this case “img-src”.

In the example above “CSP.img-src.allow”
CSP - Control marker
img-src - the directive
allow - the action.

This basically means allow images to be loaded from the site which is the second parameter “https://quickchart.io”.

All the directives can be viewed at Content-Security-Policy - HTTP | MDN

If your not sure which one your after there is a “default-src” which is a catchall and allows any type of reference from the specified site.

johnberman · January 6, 2025, 8:01pm

Hi

Thanks, very helpful

Kind Regards
John B

johnberman · January 7, 2025, 9:11am

Hi arataki

So been trying but not to much success (yet)

I want to embed a page generated on a diffeent server

So I think I need something like

Config()->append(“CSP.default-scr.allow”, “the URL its coming from");

Kind Regards
John B

arbei · January 7, 2025, 10:13am

You may want to see CSP: frame-src.

johnberman · January 8, 2025, 12:54pm

Hi sorry

Really struggling with this

I have tried this in Global Code

Config()->append(“CSP.frame-scr.allow”, “the url where the page is”);

and this

Config()->append(“CSP.default-scr.allow”, “the url where the page is”);

Help Appreciated

Kind Regards
John B

arataki · January 8, 2025, 11:24pm

Just a thought. Is CSP switched on in Advanced Settings?

Also note, if you cut and pasted the original command from here, replace the quotes. The format you have looks fine.

Here’s my Global Code in a project I have and it works no probs.

arbei · January 9, 2025, 9:14am

Press F12 in your browser, go to the Console panel to check the errors and find the correct directive that you should set for CSP.

johnberman · January 9, 2025, 10:36am

Hi

So F12 reveals this

I added this to Global Code

but its still blocked

is my syntax correct for the line in global code ?

Kind Regards
John B

arbei · January 9, 2025, 11:00am

Double check the spelling of the directive in your code.

mobhar · January 9, 2025, 12:13pm

It should be frame-src instead of frame-scr.

mhelmstedt · January 9, 2025, 2:40pm

Not CSP.frame-scr, but CSP.frame-src instead

johnberman · January 9, 2025, 3:20pm

thanks so much apologies for the lengthy thread

Kind Regards
John B