• GoDaddy Community
  • SSL And Security

    • SSL And Security

    cancel
    Turn on suggestions
    Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
    Showing results for 
    Search instead for 
    Did you mean: 
    sharwood
    sharwood
    Novice
    ‎06-06-2018 05:09 AM

    Content Security Policy settings to allow Verify SSL seal to display

    Ok - currently have a newly installed SSL cert and have added the seal onto my page.  When I click on it a new window opens which provides information about the SSL cert - Verified.

     

    My content security policy contains an entry 'unsafe-inline' in the script-src field.  When I remove this entry the verify seal window will no longer pop up.  I need to specify a url to allow content from.

     

    I have tried https://seal.godaddy.com (which works to allow the seal image in img-src field) but the pop up will not display.

     

    Does anyone know where I can find the correct url to add to my Content Security Policy so I can display the field and remove the 'unsafe-inline' ?

     

    Thanks all

    0 Kudos
    Reply
    3 REPLIES 3
    GaryA
    Moderator
    Moderator
    ‎06-14-2018 06:58 AM

    Re: Content Security Policy settings to allow Verify SSL seal to display

    Hi @sharwood, thanks for posting.

    I haven't seen any similar issues to this. Do you have a live test page on your site that members of the Community could take a look at?

     

    Gary - GoDaddy | Community Moderator
    24/7 Support | Check System Status
    Reply
    sharwood
    sharwood
    Novice
    ‎06-15-2018 04:41 AM

    Re: Content Security Policy settings to allow Verify SSL seal to display

    www.westridgedesigns.com is the site

    There is an ssl seal at the bottom of the page that when you click on it a verification window pops up 

    In this case I have an 'unsafe-inline' statement in my htaccess file in the content security policy

     

    Header set Content-Security-Policy "default-src 'self'; frame-src 'self' https://www.youtube.com https://www.google.com; img-src 'self' https://seal.godaddy.com; script-src 'self' 'unsafe-inline' https://seal.godaddy.com https://www.google.com; style-src 'self' https://seal.godaddy.com 'unsafe-inline'"

     

    which allows scripts to run from undesignated sources

     

    Now I have a copy of the site here

    www.westridgedesigns.com/test

    On this site clicking the ssl seal does not work to display the verification popup - I have removed the 'unsafe-inline' statement so scripts will only run from sources I designate

     

    Header set Content-Security-Policy "default-src 'self'; frame-src 'self' https://www.youtube.com https://www.google.com; img-src 'self' https://seal.godaddy.com; script-src 'self' https://seal.godaddy.com https://www.google.com; style-src 'self' https://seal.godaddy.com 'unsafe-inline'"

     

    Now - even though I am specifying that https://seal.godaddy.com is a safe source, the popup window will not appear.

    Question then is this:  What urls to I have to specify in htaccess to allow the script to run that displays the ssl verification popup?

     

    I think that about sums things up - any guidance here would be appreciated

     

    Thanks

     

    SH

     

    Reply
    GaryA
    Moderator
    Moderator
    ‎06-15-2018 08:53 AM

    Re: Content Security Policy settings to allow Verify SSL seal to display

    Hi @sharwood, thanks for following up.

    I apologize, but I'm not familiar with the security policy setting you are trying to implement. You can try viewing the source of the javascript file that is linked to for the site seal to see if any other domains are referenced.

    Perhaps another Community member has setup a security policy similar to what you are working with and will be able to offer some further suggestions.

     

    Gary - GoDaddy | Community Moderator
    24/7 Support | Check System Status
    Reply

    You may also like...

    Still Need Help?
    Chat with our award-winning support team