Content Security Policy (CSP) breaking manager

ysanmiguel · July 7, 2020, 3:51pm

Hello, I’m trying to implement a bit of security on modx sites, but I’m having a problem including this in the .htaccess it’s braking the manager.

<IfModule mod_headers.c>
    Header set Content-Security-Policy "script-src 'self'; object-src 'self'"
    <FilesMatch "\.(appcache|atom|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|tt[cf]|txt|vcf|vtt|webapp|web[mp]|woff|xml|xpi)$">
        Header unset Content-Security-Policy
    </FilesMatch>
</IfModule>

I can’t see any external file being called from the manager, so why is that?
Thanks!

johnxx · September 21, 2020, 2:25pm

Hello

I have the same problem.
However this minimal directive works:

Header set Content-Security-Policy "object-src 'self';"

The following set is validated by webpagetest.org:

<IfModule mod_headers.c>
Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains;    preload"
Header set X-Content-Type-Options: nosniff
Header set X-XSS-Protection: "1; mode=block"
Header set X-Frame-Options: "SAMEORIGIN"
Header set Content-Security-Policy "object-src 'self';"
</IfModule>

ysanmiguel · September 22, 2020, 10:24am

I’ll try it, thanks mate!