'Why won't my content security policy deploy to CloudFront?

I'm composing a fairly large CSP and deploying it to CloudFront with CloudFormation. The old CSP worked, but the new one doesn't. It doesn't look like it has any syntax errors.

Resource:

AWS::CloudFront::ResponseHeadersPolicy
 - ResponseHeadersPolicyConfig
  - SecurityHeadersConfig
   - ContentSecurityPolicy

The error is:

UPDATE_FAILED - Internal error reported from downstream service during operation 'AWS::CloudFront::ResponseHeadersPolicy'

amazon-cloudfrontcontent-security-policy


Solution 1:[1]

The policy is too long

I'm pretty sure this was due to the CSP simply being too long. I can't find anything in the docs (neither W3C nor AWS) that say there's a limit to the length. But it seems that CloudFront won't accept a CSP longer than 1780 characters. Since I'm using the upgrade-insecure-requests directive, I don't really need to specify the scheme for the sources. So, changing the sources like this fixed the problem:

- default-src https://foo.example
+ default-src foo.example

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

Jenkins Content Security Policy

content-security-policy doesn't work; I want to have my website load in an iFrame on ONE other website only

Adding nonce value to @Scripts.Render ASP.Net MVC razor pages with NWebSec

Iframe in Chrome error: Failed to read 'localStorage' from 'Window': Access denied for this document

How do I allow the Geolocation API inside an iframe?

Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback

Script causes “Refused to execute inline script: Either the 'unsafe-inline' keyword, a hash… or a nonce is required to enable inline execution”

Why can't Mozilla observatory detect the http security headers on my website anymore?

Angular build generates index.html with <style> tag

Content Security Policy violation with Bootstrap 5

How to have Cypress go through every page on site to see if there are any console errors and if so, make it known to the user running the test

Angular application throwing "inline style..." error due to CSP response header configured on server

Chrome Extension: Refused to load the script, because it violates the following Content Security Policy directive: "script-src 'self'"

Unable to use dynamic svg url in github Readme.md

Chrome data-URI; CSP-violation although nonce- and sha256- are set