During a penetration test, the header security in our environment had to be drastically adjusted and strengthened.
Since then, it has unfortunately no longer been possible to validate Chronoforms.
Can you tell us how the CSP needs to be adjusted so that validation is possible again? What setting is necessary so that the CSP doesn't block the validation of Chronoforms 8?
Hi Schmoe
What is your current CSP setting value ?
Dear Support, its:
...
Vary: Accept-Encoding
Set-Cookie: d0a8d64dc8f1e1148c1a99a173f69c82=r5lp93t24gqocfm4dehpjitgvv; path=/; secure; HttpOnly; SameSite=Lax
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self';
The CSP in your configuration is very strict, please try this:
Content-Security-Policy:
default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self' data: blob:;
font-src 'self' data:;
connect-src 'self' https:;
frame-ancestors 'self';
base-uri 'self';
form-action 'self';The setting causing the issue is:
connect-src 'self'; // this means no requests to any other domain can be made
