Content Security Policy style-src refuses to load in Safari
Question
Using Safari 11.0 I am receiving an error trying to load a CSS resource on a website I maintain. The page loads fine in Chrome and Firefox, and used to load fine in Safari, so I'm not sure how to resolve it. I'm guessing I need to modify the Content-Security-Policy header.
The specific error from the Safari console is Refused to load https://****.com/css/styles.css because it does not appear in the style-src directive of the Content Security Policy. As a result of this, the styles.css file isn't loading and the website is rendered incorrectly.
The security headers for the website (set via caddy) are:
Content-Security-Policy default-src 'self' https:; script-src 'self'; style-src 'self'; object-src 'none' Content-Type text/html; charset=utf-8 Referrer-Policy strict-origin Server Caddy Strict-Transport-Security max-age=31536000; includeSubDomains; preload
1 answers
solution1
2 ACCPTED 2017-10-02 00:31:08
Change the style-src part of the Content-Security-Policy header value so that it's instead style-src 'self' https://****.com . That is, replace the ****.com in https://****.com with whatever the actual hostname is.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.