Content Security Policy trying to understand why not working

[Colin Bester]

Running Liftweb 3.x in Eclipse IDE and using jetty plugin 9.2.x

On running application and point browser to login page I get the following warnings in jetty logs, I don't see any warnings in browser inspector console.

40881 [qtp1287712235-16] WARN  net.liftweb.http.LiftRules - Content security policy violation reported on page

       | 'http://demo.biochargerng.com/bc/login' from referrer 'http://demo.biochargerng.com/bc/login':

       | 'data' was blocked because it violated the

       | directive 'font-src'. The policy that specified

       | this directive is: 'default-src 'self'; connect-src *; font-src 'unsafe-eval' 'unsafe-inline' 'self'; img-src 'unsafe-inline' 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self'; style-src 'unsafe-inline' *; report-uri /bc/lift/content-security-policy-report'.

42592 [qtp1287712235-18] WARN  net.liftweb.http.LiftRules - Content security policy violation reported on page

       | 'http://demo.biochargerng.com/bc/login' from referrer 'http://demo.biochargerng.com/bc/login':

       | 'data' was blocked because it violated the

       | directive 'img-src'. The policy that specified

       | this directive is: 'default-src 'self'; connect-src *; font-src 'unsafe-eval' 'unsafe-inline' 'self'; img-src 'unsafe-inline' 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self'; style-src 'unsafe-inline' *; report-uri /bc/lift/content-security-policy-report'.

My interpretation is that font-src and img-src is not correctly setup but can't see why.

My liftRules setting in boot are:

LiftRules.securityRules = () => {

  SecurityRules(content = Some(ContentSecurityPolicy(

    styleSources = List(

      ContentSourceRestriction.UnsafeInline,

      ContentSourceRestriction.All

    ),

    connectSources = List(

        ContentSourceRestriction.All

    ),

    scriptSources = List(

      ContentSourceRestriction.UnsafeEval,

      ContentSourceRestriction.UnsafeInline,

      ContentSourceRestriction.Self

    ),

    imageSources = List(

        ContentSourceRestriction.UnsafeInline,

        ContentSourceRestriction.Self

    ),

    fontSources = List(

      ContentSourceRestriction.UnsafeEval,

      ContentSourceRestriction.UnsafeInline,

      ContentSourceRestriction.Self

    )

  )))

}   

 LiftRules.extractInlineJavaScript = true

For font's I enabled unsafeEval, unsafeInline as well as Self which I thought would cover all bases.

Not sure what Safari nor Chrome debug inspector are showing the warnings as it would help narrow it down.

Suggestions appreciated on how to dig in.

[Tim Nelson]

Hi Colin,

I believe you need to add 

ContentSourceRestriction.Scheme("data")

Tim

[Colin Bester]

Thanks, will read up on function and test.

[Colin Bester]

Thanks that solved the issue