'Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback

I have integrated the single-sign-on in our application using WsFedration(ADFS) after the sign-out, it's redirecting to the page as successfully log out and back to the login page. this follow is working correctly after hosting in the windows server, but after the hosting, to the Nginx server I'm having a problem, it's not redirecting to the login page, console error says,

Refused to frame 'https://xxx-yyy.zzz.rr/' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback

then I search regarding this and added the Content Security Policy (CSP) to the Nginx config file like below.

add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options SAMEORIGIN always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Content-Security-Policy "style-src-elem 'unsafe-inline' 'self' https://netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap-glyphicons.css  https://fonts.googleapis.com/css";
add_header Content-Security-Policy "style-src 'unsafe-inline' 'self' https://netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap-glyphicons.css  https://fonts.googleapis.com/css";
add_header Content-Security-Policy "frame-src 'unsafe-inline' 'self' none";
add_header Content-Security-Policy "default-src 'unsafe-inline'  'self'; https://netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap-glyphicons.css  https://fonts.googleapis.com/css  ";
add_header Content-Security-Policy "frame-ancestors 'self' 'unsafe-inline' none";

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "font-src 'self' 'unsafe-inline' https://netdna.bootstrapcdn.com  https://fonts.gstatic.com";

I tried several ways, but I couldn't figure it out , if anyone can help me to fix this issue much appreciated. thanks in advance.

content-security-policy


Solution 1:[1]

  1. You publish a several CSPs at the same time, they work not as you think. If multiple CSP published, they are combined with logical 'AND'.
    But you trickely use unique directives in each CSP, therefore the whole set would work as intended if not the default-src directive. If it's issued in a separate CSP, the default-src overrides all other fallback-directives. As result you have 'unsafe-inline' 'self' rule for all directives.

You have to place all directives in the one add_header Content-Security-Policy.

  1. You have some errors in rules, for example:
  • https://fonts.googleapis.com/css source should have trailing /, because it;s a folder name, not file name.
  • none token should be single quoted - 'none', and it will be ignored if it's combined with the other sources.
  • "frame-src 'unsafe-inline' 'self' none" - the frame-src is not support 'unsafe-inline' token.
  • "frame-ancestors 'self' 'unsafe-inline' none" - the frame-ancestors is not support 'unsafe-inline' token.
  • "font-src 'self' 'unsafe-inline' https://netdna.bootstrapcdn.com https://fonts.gstatic.com" - the font-src is not support 'unsafe-inline' token.
  • "default-src 'unsafe-inline' 'self'; https://netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap-glyphicons.css https://fonts.googleapis.com/css " - the ;(semicolon) after 'self' does finish the default-src rules set, therefore https://netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap-glyphicons.css is counted as directive name.

Here your rules:

add_header Content-Security-Policy " \
default-src 'self' 'unsafe-inline' https://netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap-glyphicons.css https://fonts.googleapis.com/css/; \
font-src 'self' https://netdna.bootstrapcdn.com https://fonts.gstatic.com; \
frame-ancestors 'self'; \
frame-src 'self'; \
style-src 'self' 'unsafe-inline' https://netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap-glyphicons.css https://fonts.googleapis.com/css/; \
style-src-elem 'self' 'unsafe-inline' https://netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap-glyphicons.css https://fonts.googleapis.com/css/; \
"

Solution 2:[2]

In my case I follow the tip of @granty about first topic

You publish a several CSPs at the same time, they work not as you think. If multiple CSP published, they are combined with logical 'AND'.

And I "remove" the Header in my Nginx configuration:

add_header X-Frame-Options "";

In my Keycloak the Headers of Security Defenses are:

X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-src 'self'; frame-ancestors 'self'; object-src 'none';

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 granty
Solution 2 jesus.saad

Related Questions

Jenkins Content Security Policy

content-security-policy doesn't work; I want to have my website load in an iFrame on ONE other website only

Adding nonce value to @Scripts.Render ASP.Net MVC razor pages with NWebSec

Iframe in Chrome error: Failed to read 'localStorage' from 'Window': Access denied for this document

How do I allow the Geolocation API inside an iframe?

Why won't my content security policy deploy to CloudFront?

Script causes “Refused to execute inline script: Either the 'unsafe-inline' keyword, a hash… or a nonce is required to enable inline execution”

Why can't Mozilla observatory detect the http security headers on my website anymore?

Angular build generates index.html with <style> tag

Content Security Policy violation with Bootstrap 5

How to have Cypress go through every page on site to see if there are any console errors and if so, make it known to the user running the test

Angular application throwing "inline style..." error due to CSP response header configured on server

Chrome Extension: Refused to load the script, because it violates the following Content Security Policy directive: "script-src 'self'"

Unable to use dynamic svg url in github Readme.md

Chrome data-URI; CSP-violation although nonce- and sha256- are set