CSP: Meta Policy Invalid Directive

Risk:
Medium

Type:
Passive

CWE:
CWE-693

Summary: The policy specified via meta element contains either or both the sandbox or frame-ancestors directive, which are not permitted inside meta CSP definitions.

Solution: Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.

References

https://www.w3.org/TR/CSP/

https://caniuse.com/#search=content+security+policy

https://content-security-policy.com/

https://github.com/HtmlUnit/htmlunit-csp

https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources

Top Security News

Latest CVE List

Top Alert List

Content Security Policy (CSP) Header Not Set
CSP
MediumMissing Anti-clickjacking Header
InformationalInformation Disclosure - Suspicious Comments
MediumAbsence of Anti-CSRF Tokens
MediumContent Security Policy (CSP) Header Not Set
LowCross-Domain JavaScript Source File Inclusion
InformationalRe-examine Cache-control Directives
LowCSP: X-Content-Security-Policy
LowTimestamp Disclosure - Unix

Common CWEs

Free online web security scanner

Don't show website scan report rating on the leaderboard