Shield adds attributes to the CSP policy that aren't specified.
0
đ
0Using the following configuration on my website:
shield({
sri: {
enableStatic: true,
scriptsAllowListUrls: [
'https://consent.cookiebot.com/uc.js',
'https://consent.cookiebot.com/<ATTRIBUTE>/cd.js',
'https://www.googletagmanager.com/gtag/js?id=<TAG>'
],
},
securityHeaders: {
enableOnStaticPages: {
provider: "netlify"
},
contentSecurityPolicy: {
// Needed for astro-shield
}
}
})
The following errors are seen in the console:
Content-Security-Policy warnings 5
Content-Security-Policy: Ignoring â'unsafe-inline'â within script-src: âstrict-dynamicâ specified [digitalmint.io](https://digitalmint.io/)
Content-Security-Policy: Ignoring â'self'â within script-src: âstrict-dynamicâ specified [digitalmint.io](https://digitalmint.io/)
Content-Security-Policy: Ignoring âhttps:â within script-src: âstrict-dynamicâ specified [digitalmint.io](https://digitalmint.io/)
Content-Security-Policy: Ignoring âhttp:â within script-src: âstrict-dynamicâ specified [digitalmint.io](https://digitalmint.io/)
Content-Security-Policy: Ignoring â'unsafe-inline'â within script-src: nonce-source or hash-source specified
and None of the âsha256â hashes in the integrity attribute match the content of the subresource. The computed hash is âa0YhhoysWJpgP+EmOq0kL2cmLvlxvayszBpRXNBIhGY=â.
This was noticed on Firefox.
kindspells / astro-shield
Astro integration to enhance your website's security with SubResource Integrity hashes, Content-Security-Policy headers, and other techniques.
53
How does funding with Polar work?
1
Pay now to fund the work behind this issue.
2
Get updates on progress being made.
3
Maintainer is rewarded once the issue is completed.
FAQ
Backer
You're funding impactful open source efforts
Contributor
You want to contribute to this effort
Maintainer
You want to get funding like this too