Refused to connect to 'http://someURL' because it violates the following Content Security Policy directive: "connect-src http://someURL"

http nginx

Well, that's the error which comes up from my browser console, I am working with one domain and that domain has only one sub-domain, and I still don't have access to the sub-domain. Actually I am receiving some other errors.

My guess is that the mistake I have is in the add_header Content-Security-Policy, in the connect-src part. : this is the domain part and the Content-Security-Policy:

server {
    large_client_header_buffers 1 1K;

    listen       80;
    server_name  www.just4bettors.mobi  just4bettors.mobi;
    root   /home/c0pt/capilleira/capilleiraclickandgamblemobile/www;

    location / {
        index  index.html index.htm;
        ...
    }

    add_header Content-Security-Policy
    "default-src 'self' http://just4bettors.mobi:1337;
     connect-src http://just4bettors.mobi
                 http://just4bettors.mobi:1337
                 http://www.just4bettors.mobi
                 http://www.just4bettors.mobi:1337";
}

and this is the part for the sub-domain:

server {
   listen 80;
   server_name www.desktop.just4bettors.mobi  desktop.just4bettors.mobi;
   root   /home/c0pt/capilleira/capilleiraclickandgambleweb/dist;
   location / {
        index index.html index.htm;
        ...
   }

   add_header Content-Security-Policy add_header
   "default-src 'self' http://www.just4bettors.mobi;
    connect-src http://just4bettors.mobi
                http://just4bettors.mobi:1337
                http://www.just4bettors.mobi
                http://www.just4bettors.mobi:1337
                http://www.desktop.just4bettors.mobi:1337
                http://www.desktop.just4bettors.mobi";
}

this part of the errors I am getting in the console

Refused to connect to 'http://www.desktop.just4bettors.mobi/views/accFiguresModal.html' because it violates the following Content Security Policy directive: "connect-src http://just4bettors.mobi http://just4bettors.mobi:1337 http://www.just4bettors.mobi http://www.just4bettors.mobi:1337".

the issue actually comes up only when I try to connect to www.desktop.just4bettors.mobi but if I put www.just4bettors.mobi everything works properly

so, where is my error here ?


Try add header Content-Security-Policy to your meta tag:

"connect-src http://just4bettors.mobi http://just4bettors.mobi:1337 http://www.just4bettors.mobi http://www.desktop.just4bettors.mobi;"

Complete meta tag will be like this:

"default-src 'self' http://www.just4bettors.mobi; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' http://placehold.it https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.gstatic.com  https://themes.googleusercontent.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src 'self'; object-src 'none'; connect-src http://just4bettors.mobi http://just4bettors.mobi:1337 http://www.just4bettors.mobi http://www.desktop.just4bettors.mobi;"

Related

MongoDB Oplog Security
Is there a reason NOT to install the RSAT-ADDS tools on an Exchange 2013 CAS server?
Redis Sentinel does not take action when the master goes down
Site to Site VPN between CISCO 2921 and Sonicwall NSA 3600: NO_PROPOSAL_CHOSEN
Outgoing brute force attacks from my server
How to find size of atomic write for nginx access log buffer?
Tracing Untraceable AD Account Lockouts
Windows 8.1 Pro migrating "Microsoft live" account to domain account
docker-compose down with a non-default yml file name
How to convert BigInt to Number in JavaScript?
How can I replace newlines using PowerShell?
XSL: Avoid exporting namespace definitions to resulting XML documents