Ok - currently have a newly installed SSL cert and have added the seal onto my page. When I click on it a new window opens which provides information about the SSL cert - Verified.
My content security policy contains an entry 'unsafe-inline' in the script-src field. When I remove this entry the verify seal window will no longer pop up. I need to specify a url to allow content from.
I have tried https://seal.godaddy.com (which works to allow the seal image in img-src field) but the pop up will not display.
Does anyone know where I can find the correct url to add to my Content Security Policy so I can display the field and remove the 'unsafe-inline' ?
Thanks all
Hi @sharwood, thanks for posting.
I haven't seen any similar issues to this. Do you have a live test page on your site that members of the Community could take a look at?
www.westridgedesigns.com is the site
There is an ssl seal at the bottom of the page that when you click on it a verification window pops up
In this case I have an 'unsafe-inline' statement in my htaccess file in the content security policy
Header set Content-Security-Policy "default-src 'self'; frame-src 'self' https://www.youtube.com https://www.google.com; img-src 'self' https://seal.godaddy.com; script-src 'self' 'unsafe-inline' https://seal.godaddy.com https://www.google.com; style-src 'self' https://seal.godaddy.com 'unsafe-inline'"
which allows scripts to run from undesignated sources
Now I have a copy of the site here
On this site clicking the ssl seal does not work to display the verification popup - I have removed the 'unsafe-inline' statement so scripts will only run from sources I designate
Header set Content-Security-Policy "default-src 'self'; frame-src 'self' https://www.youtube.com https://www.google.com; img-src 'self' https://seal.godaddy.com; script-src 'self' https://seal.godaddy.com https://www.google.com; style-src 'self' https://seal.godaddy.com 'unsafe-inline'"
Now - even though I am specifying that https://seal.godaddy.com is a safe source, the popup window will not appear.
Question then is this: What urls to I have to specify in htaccess to allow the script to run that displays the ssl verification popup?
I think that about sums things up - any guidance here would be appreciated
Thanks
SH
Hi @sharwood, thanks for following up.
I apologize, but I'm not familiar with the security policy setting you are trying to implement. You can try viewing the source of the javascript file that is linked to for the site seal to see if any other domains are referenced.
Perhaps another Community member has setup a security policy similar to what you are working with and will be able to offer some further suggestions.