How to combine nginx jivosite and CSP?

A

Alex Xmel2021-09-30 16:30:07

Nginx

Alex Xmel, 2021-09-30 16:30:07

nginx has the following line:

add_header Content-Security-Policy   "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;

if it is present, jivosite does not work and a lot of errors are thrown into the console - cards, css and js are partially found, and partially not.

The jivosite call is written in

<head>:
<script src="//code-ya.jivosite.com/widget/A4gI9bh809" async></script>
 
здесь же, ранее, добавил вот такую строку:
<meta http-equiv="Content-Security-Policy"
          content="default-src *.jivosite.com chat.ws.yandex.ru; connect-src ws://*.jivosite.com;">

but all to no avail. jivosite won't start normally.
If you remove the CSP from nginx and <head>then everything works fine. Tell me how to start jivosite and at the same time leave the CSP rule in nginx enabled?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Alexander Karabanov, 2021-09-30
@karabanov

You can try like this.
Add to Nginx config:

add_header  Content-Security-Policy: default-src 'self'; 
                            report-uri: https://example.com/csp/report;

Replace " https://example.com/csp/report " with the address of a script that is able to accept and log a JSON report (can be implemented on the knee with nc -l <port>or python -m SimpleHTTPServer [port]).
Apply config ( nginx -t && systemctl reload nginx).
Refresh the page and see in the log what resources were blocked.
Add Blocked Resources to CSP: Improve Network Security with Content S...