Problem with iPad Safari and https ? about helmet HOT 4 CLOSED

Let me try this out in my playground env

cc-lam wrote:

In my app, I have the following policy:

helmet.csp.policy
defaultPolicy:
"img-src" : ['*']
"style-src" : ["'self'", "'unsafe-inline'", "fonts.googleapis.com"]
"script-src" : ["'self'", "cdnjs.cloudflare.com", "login.persona.org",
"ajax.googleapis.com", "www.google-analytics.com"
http://www.google-analytics.com%22]

This works well for all OS/browser combinations I'm testing, except
for mobile Safari on the iPad which refuses to load the script from
https://login.persona.org/include.js

The persona script is the only one delivered through https protocol.
Maybe this has something to do with this ?

—
Reply to this email directly or view it on GitHub
#8.

from helmet.

Adding the https in the policy seems to fix it:

"script-src" : ["'self'", "cdnjs.cloudflare.com", "https://login.persona.org", "ajax.googleapis.com", "www.google-analytics.com"]

Is this the correct way to do it ? More generally, should we always add the protocols in the policy ?

from helmet.

cool. that's what I was hoping to try out. I don't know if it's best
practice or required to always add protocols but I think it would be
once best interest with CSP to be as specific as possible. Leaves less
up to interpretation. ndm has this to say
https://twitter.com/ndm/status/348894065586225152

Still probably best to be specific imho.

cc-lam wrote:

Adding the https in the policy seems to fix it:

"script-src" : ["'self'", "cdnjs.cloudflare.com",
"https://login.persona.org", "ajax.googleapis.com",
"www.google-analytics.com" http://www.google-analytics.com%22]

Is this the correct way to do it ? More generally, should we always
add the protocols in the policy ?

—
Reply to this email directly or view it on GitHub
#8 (comment).

from helmet.

Thanks for the info.

from helmet.