Please I need assistance here. I have a form to submit to another url but when I try to submit it, it refuses to submit and I was checking my console.
On Chrome, I see the following errors
resources2.aspx?HCCID=75694719&culture=en-US&mlcv=3006&template=5:7 Refused to load the image ‘https://s4.mylivechat.com/livechat2/images/sprite.png‘ because it violates the following Content Security Policy directive: “img-src ‘self’ data:”.
Refused to send form data to ‘https://cipg.stanbicibtcbank.com/MerchantServices/MakePayment.aspx‘ because it violates the following Content Security Policy directive: “form-action ‘self'”.
and on Mozilla Firefox I see the following:
Content Security Policy: The page’s settings blocked the loading of a resource at https://s4.mylivechat.com/livechat2/images/sprite.png (“img-src http://smehelp.themarketplace.ng data:”)
Content Security Policy: The page’s settings blocked the loading of a resource at http://smehelp.themarketplace.ng/purchase/summary (“form-action ‘self’”).
Checking around the web for solution, I have added the following to my page header
<meta http-equiv="Content-Security-Policy" content="form-action 'self'">
but the problem still persists.
This results in the fact that I am not able to submit my forms. Earlier, the forms used to get submitted, but I just tried it today and observed this error.
I am running on Google Chrome Version 55.0.2883.95 (64-bit) on a MAC OS.
I will appreciate any suggestion to solve this issue as soon as possible.
Thank you
Advertisement
Answer
You are passing the Content-Security-Policy value in your response header:
base-uri ‘none’; default-src ‘self’ https://s4.mylivechat.com; child-src ‘none’; connect-src ‘self’; font-src ‘self’ https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com https://fonts.gstatic.com; form-action ‘self’; frame-ancestors ‘none’; img-src ‘self’ data:; media-src ‘self’; object-src ‘none’; script-src ‘self’ https://www.youtube.com https://maps.google.com https://www.google-analytics.com https://mylivechat.com https://s4.mylivechat.com https://maps.googleapis.com ‘unsafe-inline’ ‘unsafe-eval’; style-src ‘self’ https://fonts.googleapis.com https://s4.mylivechat.com https://maxcdn.bootstrapcdn.com ‘unsafe-inline’
The content security policy that you’ve added to the page meta will be ignored as this is present in the response header.
You will need to make the following additions (in bold) to your CSP that you are sending in your response header.
base-uri ‘none’; default-src ‘self’ https://s4.mylivechat.com; child-src ‘none’; connect-src ‘self’; font-src ‘self’ https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com https://fonts.gstatic.com; form-action ‘self’ https://cipg.stanbicibtcbank.com/MerchantServices/MakePayment.aspx; frame-ancestors ‘none’; img-src ‘self’ data: https://s4.mylivechat.com; media-src ‘self’; object-src ‘none’; script-src ‘self’ https://www.youtube.com https://maps.google.com https://www.google-analytics.com https://mylivechat.com https://s4.mylivechat.com https://maps.googleapis.com ‘unsafe-inline’ ‘unsafe-eval’; style-src ‘self’ https://fonts.googleapis.com https://s4.mylivechat.com https://maxcdn.bootstrapcdn.com ‘unsafe-inline’;
- Add https://s4.mylivechat.com to img-src
- Add https://cipg.stanbicibtcbank.com/MerchantServices/MakePayment.aspx to form-action
- Remove
<meta http-equiv="Content-Security-Policy" content="form-action 'self'">from your HTML code