I'd like to set a content security policy header for a Joomla website running on Apache 2.4.
Using this configuration from h5bp and setting Header set Content-Security-Policy "script-src 'self'; object-src 'self'"
gives me a blank page for the Joomla login page at www.example.com/administrator/. How can I use this policy and still log in?
Checking the console, the error message is:
Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src http://www.example.com").
The administrator page is entirely served from example.com, there is no third-party content. The site works perfectly except for the blank page on the login page with the policy set. Checking the /administrator page source, it looks completely ordinary except that the JS isn't run. A copy of the complete page source is here.
Because I have whitelisted example.com with "script-src 'self'; object-src 'self'" I expect that the page will render but I'm obviously missing something.
I've now re-tested this with a new VPS and clean install of Joomla with no customisations. Setting the content security policy and restarting Apache immediately reproduces the issue - totally blank admin page with accompanying console error in the browser complaining about the policy blocking the loading of resources. Changing "script-src 'self'
to "script-src 'example.com'
or "script-src 'IP:AD:DR:ESS'
doens't help, all scripts are blocked, period.
Any idea how to get this working or further troubleshoot it?
After looking at the source code, it appears that the error message is erroneous and misleading. What appears to be causing your problem is that there are several inline JavaScript elements. In other words, the policy you are defining allows content like this:
But not like this:
In order to allow inline JavaScript (not recommended as this defeats the purpose of using CSP), you need to modify your policy to something like:
Alternatively, you can refactor the code to not use inline JS, or take advantage of the nonce attribute. Keep in mind that support for the nonce attribute is not currently present in all browsers (it is part of the latest spec for Content Security Policy). To my knowledge, it is currently only supported in Chrome.