search

kindspells / astro-shield

Astro integration to enhance your website's security with SubResource Integrity hashes, Content-Security-Policy headers, and other techniques.
https://astro-shield.kindspells.dev
MIT License
58 stars 6 forks source link

Shield adds attributes to the CSP policy that aren't specified. #152

Open dsmith-digitalmint opened 1 month ago

dsmith-digitalmint commented 1 month ago

Using the following configuration on my website:

        shield({
            sri: { 
                enableStatic: true,
                scriptsAllowListUrls: [
                    'https://consent.cookiebot.com/uc.js',
                    'https://consent.cookiebot.com/<ATTRIBUTE>/cd.js',
                    'https://www.googletagmanager.com/gtag/js?id=<TAG>'
                  ],
             },
            securityHeaders: {
                enableOnStaticPages: {
                    provider: "netlify"
                },
                contentSecurityPolicy: {
                    // Needed for astro-shield
                }
            }
        })

The following errors are seen in the console:

Content-Security-Policy warnings 5
Content-Security-Policy: Ignoring “'unsafe-inline'” within script-src: ‘strict-dynamic’ specified [digitalmint.io](https://digitalmint.io/)
Content-Security-Policy: Ignoring “'self'” within script-src: ‘strict-dynamic’ specified [digitalmint.io](https://digitalmint.io/)
Content-Security-Policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified [digitalmint.io](https://digitalmint.io/)
Content-Security-Policy: Ignoring “http:” within script-src: ‘strict-dynamic’ specified [digitalmint.io](https://digitalmint.io/)
Content-Security-Policy: Ignoring “'unsafe-inline'” within script-src: nonce-source or hash-source specified

and None of the “sha256” hashes in the integrity attribute match the content of the subresource. The computed hash is “a0YhhoysWJpgP+EmOq0kL2cmLvlxvayszBpRXNBIhGY=”.

This was noticed on Firefox.