Paul Pace writes: > When I load a page from OpenBSD served with relayd and httpd with > Content-Security-Policy set to default-src self, I can see that a basic > HTML page that normally renders with all of the text in the center is > now rendered on the left. > > I have this currently configured with http://mostlybsd.com not loading > the header and https://mostlybsd.com loading the header. > > [...] > > Is there something I am missing?
You are missing that "style-src 'self'" does not allow <style> elements within the page. 'self' only allows <link> elements with an href pointing to an external stylesheet on the same domain. To allow <style>, you will need to set a nonce, a hash, or 'unsafe-inline'. If you had opened Chrome's developer tools, you would have seen an error message describing this. > I have also served the same HTML file in an Ubuntu server with nginx and > with the header enabled the page still renders in the center. You should verify that nginx on Ubuntu is actually setting the header. -- Anthony J. Bentley
