Seems like Cloudflare _headers file totally ignore the csp if it is lengthy. what can i do to fix this i only 4-5 hashes sha512- what is the suggested and safe method to add a csp in clourdflare pages _header file which defines
usually this is all in 1 line, is there different format i can use in header for example instead of using
Content-Security-Policy: default-src 'none'; child-src 'none'; frame-src 'none'; worker-src 'none';
can i break this in multiple line to bypass the current Cloudflare issue:
thanks for taking the time to help
How long is your CSP header? I have long ones and they load fine
the character length of 1 line starting with
Content-Security-Policy: default-src 'none'; script-src 'report-sample' is: 1380
can someone please tell what is the exact limit Cloudflare applies in the _header file as weeks are spent on creating the content security policy and the Cloudflare simply ignore it and does not ship in the _header file. I read somewhere that Cloudflare applies a limit but what is that limit?
Just tried 2000 characters and got this error in the build log
|16:34:45.133| Ignoring line 8 as it exceeds the maximum allowed length of 1000.
so i suppose i need to get rid of 380 characters to make it under 1000.
If there is anyone here from official Cloudflare i wan to tell you that 1000 character for csp is too small with just a few hashes it will reach over 1000. please make the limit to 1380
Dear Cloudflare team,
can i use csp like this to bypass your 1000 character limit, will this work or result in failure
That will not work, header are parsed per line.
What you can do is have multiple CSP policy headers. So if you manually split your CSP poilcy into two seperate headers they will be parsed by browsers as one header
Content-Security-Policy: <part 1 of header>
Content-Security-Policy: <part 2 of header>
We’re are looking to increase this
Thats how I would have done it aswell. If you do this, just pay attention, that you define each directive exclusive in each CSP header line. So don’t redefine it in another line.
With this trick, the limitation of 1000 characters would now apply to every csp directive, which pretty sure is more then enough.
So maybe the Cloudflare Pages team could:
- implement a solution, that would (if possible) split the header down on their own, into it’s separat directives
- instead of triggering a warning/info and ignore it, also append a link to the docs which describes how to solve it (Multiple content security policies), so users can do it manually.
- increase the limit, but I don’t know if it exists for good reasons. I at least am not aware of any IETF RFC limit of a response headers max characters, nor size.
This approach (Multiple content security policies), can be used at nearly all other header aswell. Just have a look at here: Scan results for https://www.heldmayer.com
where I used it for multiple link headers.
Question to @WalshyMVP:
if you guys alter the limit of header value length, will it be altered in general, or just for the CSP?
this does solve the issue you are a legend.
Hi @WalshyMVP I’m not sure if you’re a Cloudflare representative. But I’d want to complain to you because this limit is quite difficult to locate, at least for me, and I’ve had no idea why CSP isn’t being applied for about a month, so I’ve been altering the policy. Please indicate this limit in your docs where you describe how to use the header file so that users are aware of it and may avoid the annoyance of not knowing what’s going on.
Thank you all again for your efforts in resolving this problem.
this method doesnt work for me as for somereason the produced header CSP have wrong format
default-src 'none';, script-src 'report-sample'
you can see an additonal comma, after the ; and this make browser miss parts of CSP. when you seperate a policy line how you end the line with:
- default-src 'none';
- default-src 'none'
- default-src 'none',
the browser is expecting to get ; at the end of each policy type? for exmple
Content-Security-Policy: default-src 'none'; script-src 'self'
instead of how Cloudflare header is exporting currently
default-src 'none';, script-src 'report-sample'
@WalshyMVP is not, but his alter ego @Walshy is!
I am unable to recreate the behavior you are seeing. When I was testing, I just cut and pasted policy sections from the first header to the second.
Here is an example:
Content-Security-Policy: default-src 'self' https://cloudflareinsights.com; script-src 'self' c.disquscdn.com https://ajax.cloudflare.com https://*.cloudflareinsights.com;
Content-Security-Policy: object-src 'none'; report-uri https://cyberjake.report-uri.com/r/d/csp/enforce
A modification has been requested here [Pages] Clarify individual header length limit by KianNH · Pull Request #4614 · cloudflare/cloudflare-docs · GitHub
I increased this today, not sure if a release will go out this week or next week but the work is done.
Representative sounds so formal… I work on the Pages team
This the whole line length being increased, so you can have a
Header if you’d like (you should )
May we know to what length? This maybe even is worth adding to the docs
Finally … I can use the header I ever wanted!
2k and yep, we’ll doc it. Since @KianNH already has an open PR I pinged him to update that.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.