Shield adds attributes to the CSP policy that aren't specified.

Using the following configuration on my [website](digitalmint.io):

```
        shield({
            sri: { 
                enableStatic: true,
                scriptsAllowListUrls: [
                    'https://consent.cookiebot.com/uc.js',
                    'https://consent.cookiebot.com/<ATTRIBUTE>/cd.js',
                    'https://www.googletagmanager.com/gtag/js?id=<TAG>'
                  ],
             },
            securityHeaders: {
                enableOnStaticPages: {
                    provider: "netlify"
                },
                contentSecurityPolicy: {
                    // Needed for astro-shield
                }
            }
        })
```


The following errors are seen in the console:
```
Content-Security-Policy warnings 5
Content-Security-Policy: Ignoring “'unsafe-inline'” within script-src: ‘strict-dynamic’ specified [digitalmint.io](https://digitalmint.io/)
Content-Security-Policy: Ignoring “'self'” within script-src: ‘strict-dynamic’ specified [digitalmint.io](https://digitalmint.io/)
Content-Security-Policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified [digitalmint.io](https://digitalmint.io/)
Content-Security-Policy: Ignoring “http:” within script-src: ‘strict-dynamic’ specified [digitalmint.io](https://digitalmint.io/)
Content-Security-Policy: Ignoring “'unsafe-inline'” within script-src: nonce-source or hash-source specified
```

and `None of the “sha256” hashes in the integrity attribute match the content of the subresource. The computed hash is “a0YhhoysWJpgP+EmOq0kL2cmLvlxvayszBpRXNBIhGY=”.`

This was noticed on Firefox.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Shield adds attributes to the CSP policy that aren't specified. #152

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development