Content-Security-Policy: sandbox directive: This directive is not supported in the Meta element

[cloudscape-germany]

Describe the problem/question

Content-Security-Policy: sandbox directive: This directive is not supported in the Meta element

Did you use the FAQ section?

• Yes, I have read the FAQ and I found no solution/answer there.

What you did?

1. Upgrade to 2.0.3
2. Receiving the Warning in the Browsers Debugging Tools

What happens

Browser Warning in Debugging Tools

What should happen

How to get rid of warning without lowering security? (given that the CSP meta tag is ignored, it was never applied in the first place)

Issue reproducibility

No, I cannot reproduce it on https://privatebin.net.

[elrido]

First, this is a warning, not breaking anything. The stronger CSP policy as per the HTTP header should still be applied (including sandbox), but we decided to also send it in the meta tag, in case someone runs privatebin by accident on a server that strips the HTTP header or replaces it with a less strict one.

Second, it should have stripped that part from the CSP in the meta tag, as we deal with that in:

PrivateBin/lib/Controller.php

Lines 444 to 452 in 9a29894

	// strip policies that are unsupported in meta tag
	$metacspheader = str_replace(
	array(
	'frame-ancestors \'none\'; ',
	'; sandbox allow-same-origin allow-scripts allow-forms allow-modals allow-downloads',
	),
	'',
	$this->_conf->getKey('cspheader')
	);

I've just compared both patterns with the currently configured default CSP, but it seems to still match those and as you report, that part is correctly stripped on privatebin.net. If you had your reasons to change the default CSP, would you share those changes with us, if they would benefit other users of the project? Otherwise you'd have to change the pattern in the above code in your install to match your own policy.