I have implemented Content Security Policy headers on a site that is using SSL in the back office (may be unrelated) and I have no issues elsewhere on the site but in the back office I get violations like this:
Refused to load the image
'http://umbraco.tv/media/110343/mediaapi.png' because it violates the
following Content Security Policy directive: "img-src 'self' data:
*.umbraco.tv i.ytimg.com *.umbraco.org www.gravatar.com".
The rules are valid so I can't work out why they are being rejected - any ideas? I think perhaps I'm missing something really obvious somewhere?
Edit: FWIW, images show fine elsewhere in the back office if they come from https://dashboard.umbraco.org/media/ which made me think it was perhaps SSL related?
This is a violation of the HTTP/HTTPS content security policies you need to specify http explicitly if you're serving your site over SSL. . You should be able to resolve this issue by updating your rule to:
Content Security Policy Violations in Back Office
I have implemented Content Security Policy headers on a site that is using SSL in the back office (may be unrelated) and I have no issues elsewhere on the site but in the back office I get violations like this:
The rule is as follows:
The rules are valid so I can't work out why they are being rejected - any ideas? I think perhaps I'm missing something really obvious somewhere?
Edit: FWIW, images show fine elsewhere in the back office if they come from
https://dashboard.umbraco.org/media/which made me think it was perhaps SSL related?Thanks, Simon
Hi Simon,
This is a violation of the HTTP/HTTPS content security policies you need to specify http explicitly if you're serving your site over SSL. . You should be able to resolve this issue by updating your rule to:
There's a good Stack Overflow response for content-security-policy here http://stackoverflow.com/a/30280371/1663868
Perfect! Thanks Liam, worked a treat.
is working on a reply...