SSL And Security

sharwood · ‎06-06-2018

Ok - currently have a newly installed SSL cert and have added the seal onto my page. When I click on it a new window opens which provides information about the SSL cert - Verified.

My content security policy contains an entry 'unsafe-inline' in the script-src field. When I remove this entry the verify seal window will no longer pop up. I need to specify a url to allow content from.

I have tried https://seal.godaddy.com (which works to allow the seal image in img-src field) but the pop up will not display.

Does anyone know where I can find the correct url to add to my Content Security Policy so I can display the field and remove the 'unsafe-inline' ?

Thanks all

GaryA · ‎06-14-2018

Hi @sharwood, thanks for posting.

I haven't seen any similar issues to this. Do you have a live test page on your site that members of the Community could take a look at?

Gary - GoDaddy | Community Moderator
24/7 Support | Check System Status

sharwood · ‎06-15-2018

www.westridgedesigns.com is the site

There is an ssl seal at the bottom of the page that when you click on it a verification window pops up

In this case I have an 'unsafe-inline' statement in my htaccess file in the content security policy

Header set Content-Security-Policy "default-src 'self'; frame-src 'self' https://www.youtube.com https://www.google.com; img-src 'self' https://seal.godaddy.com; script-src 'self' 'unsafe-inline' https://seal.godaddy.com https://www.google.com; style-src 'self' https://seal.godaddy.com 'unsafe-inline'"

which allows scripts to run from undesignated sources

Now I have a copy of the site here

www.westridgedesigns.com/test

On this site clicking the ssl seal does not work to display the verification popup - I have removed the 'unsafe-inline' statement so scripts will only run from sources I designate

Header set Content-Security-Policy "default-src 'self'; frame-src 'self' https://www.youtube.com https://www.google.com; img-src 'self' https://seal.godaddy.com; script-src 'self' https://seal.godaddy.com https://www.google.com; style-src 'self' https://seal.godaddy.com 'unsafe-inline'"

Now - even though I am specifying that https://seal.godaddy.com is a safe source, the popup window will not appear.

Question then is this: What urls to I have to specify in htaccess to allow the script to run that displays the ssl verification popup?

I think that about sums things up - any guidance here would be appreciated

Thanks

SH

GaryA · ‎06-15-2018

Hi @sharwood, thanks for following up.

I apologize, but I'm not familiar with the security policy setting you are trying to implement. You can try viewing the source of the javascript file that is linked to for the site seal to see if any other domains are referenced.

Perhaps another Community member has setup a security policy similar to what you are working with and will be able to offer some further suggestions.

Gary - GoDaddy | Community Moderator
24/7 Support | Check System Status

columboo

SSL And Security

Content Security Policy settings to allow Verify SSL seal to display

Re: Content Security Policy settings to allow Verify SSL seal to display

Re: Content Security Policy settings to allow Verify SSL seal to display

Re: Content Security Policy settings to allow Verify SSL seal to display

Re: Content Security Policy settings to allow Verify SSL seal to display

SSL And Security

Content Security Policy settings to allow Verify SSL seal to display

Re: Content Security Policy settings to allow Verify SSL seal to display

Re: Content Security Policy settings to allow Verify SSL seal to display

Re: Content Security Policy settings to allow Verify SSL seal to display

Re: Content Security Policy settings to allow Verify SSL seal to display

You may also like...