Ok - currently have a newly installed SSL cert and have added the seal onto my page. When I click on it a new window opens which provides information about the SSL cert - Verified.
My content security policy contains an entry 'unsafe-inline' in the script-src field. When I remove this entry the verify seal window will no longer pop up. I need to specify a url to allow content from.
I have tried https://seal.godaddy.com (which works to allow the seal image in img-src field) but the pop up will not display.
Does anyone know where I can find the correct url to add to my Content Security Policy so I can display the field and remove the 'unsafe-inline' ?
www.westridgedesigns.com is the site
There is an ssl seal at the bottom of the page that when you click on it a verification window pops up
In this case I have an 'unsafe-inline' statement in my htaccess file in the content security policy
Header set Content-Security-Policy "default-src 'self'; frame-src 'self' https://www.youtube.com https://www.google.com; img-src 'self' https://seal.godaddy.com; script-src 'self' 'unsafe-inline' https://seal.godaddy.com https://www.google.com; style-src 'self' https://seal.godaddy.com 'unsafe-inline'"
which allows scripts to run from undesignated sources
Now I have a copy of the site here
On this site clicking the ssl seal does not work to display the verification popup - I have removed the 'unsafe-inline' statement so scripts will only run from sources I designate
Header set Content-Security-Policy "default-src 'self'; frame-src 'self' https://www.youtube.com https://www.google.com; img-src 'self' https://seal.godaddy.com; script-src 'self' https://seal.godaddy.com https://www.google.com; style-src 'self' https://seal.godaddy.com 'unsafe-inline'"
Now - even though I am specifying that https://seal.godaddy.com is a safe source, the popup window will not appear.
Question then is this: What urls to I have to specify in htaccess to allow the script to run that displays the ssl verification popup?
I think that about sums things up - any guidance here would be appreciated
Hi @sharwood, thanks for following up.
Perhaps another Community member has setup a security policy similar to what you are working with and will be able to offer some further suggestions.