'Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback

I have integrated the single-sign-on in our application using WsFedration(ADFS) after the sign-out, it's redirecting to the page as successfully log out and back to the login page. this follow is working correctly after hosting in the windows server, but after the hosting, to the Nginx server I'm having a problem, it's not redirecting to the login page, console error says,

Refused to frame 'https://xxx-yyy.zzz.rr/' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback

then I search regarding this and added the Content Security Policy (CSP) to the Nginx config file like below.

add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options SAMEORIGIN always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Content-Security-Policy "style-src-elem 'unsafe-inline' 'self' https://netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap-glyphicons.css  https://fonts.googleapis.com/css";
add_header Content-Security-Policy "style-src 'unsafe-inline' 'self' https://netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap-glyphicons.css  https://fonts.googleapis.com/css";
add_header Content-Security-Policy "frame-src 'unsafe-inline' 'self' none";
add_header Content-Security-Policy "default-src 'unsafe-inline'  'self'; https://netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap-glyphicons.css  https://fonts.googleapis.com/css  ";
add_header Content-Security-Policy "frame-ancestors 'self' 'unsafe-inline' none";

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "font-src 'self' 'unsafe-inline' https://netdna.bootstrapcdn.com  https://fonts.gstatic.com";    

I tried several ways, but I couldn't figure it out , if anyone can help me to fix this issue much appreciated. thanks in advance.



Solution 1:[1]

  1. You publish a several CSPs at the same time, they work not as you think. If multiple CSP published, they are combined with logical 'AND'.
    But you trickely use unique directives in each CSP, therefore the whole set would work as intended if not the default-src directive. If it's issued in a separate CSP, the default-src overrides all other fallback-directives. As result you have 'unsafe-inline' 'self' rule for all directives.

You have to place all directives in the one add_header Content-Security-Policy.

  1. You have some errors in rules, for example:
  • https://fonts.googleapis.com/css source should have trailing /, because it;s a folder name, not file name.
  • none token should be single quoted - 'none', and it will be ignored if it's combined with the other sources.
  • "frame-src 'unsafe-inline' 'self' none" - the frame-src is not support 'unsafe-inline' token.
  • "frame-ancestors 'self' 'unsafe-inline' none" - the frame-ancestors is not support 'unsafe-inline' token.
  • "font-src 'self' 'unsafe-inline' https://netdna.bootstrapcdn.com https://fonts.gstatic.com" - the font-src is not support 'unsafe-inline' token.
  • "default-src 'unsafe-inline' 'self'; https://netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap-glyphicons.css https://fonts.googleapis.com/css " - the ;(semicolon) after 'self' does finish the default-src rules set, therefore https://netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap-glyphicons.css is counted as directive name.

Here your rules:

add_header Content-Security-Policy " \
default-src 'self' 'unsafe-inline' https://netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap-glyphicons.css https://fonts.googleapis.com/css/; \
font-src 'self' https://netdna.bootstrapcdn.com https://fonts.gstatic.com; \
frame-ancestors 'self'; \
frame-src 'self'; \
style-src 'self' 'unsafe-inline' https://netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap-glyphicons.css https://fonts.googleapis.com/css/; \
style-src-elem 'self' 'unsafe-inline' https://netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap-glyphicons.css https://fonts.googleapis.com/css/; \
"

Solution 2:[2]

In my case I follow the tip of @granty about first topic

You publish a several CSPs at the same time, they work not as you think. If multiple CSP published, they are combined with logical 'AND'.

And I "remove" the Header in my Nginx configuration:

add_header X-Frame-Options "";

In my Keycloak the Headers of Security Defenses are:

X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-src 'self'; frame-ancestors 'self'; object-src 'none';

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 granty
Solution 2 jesus.saad