{"id":1533,"date":"2017-05-16T13:19:36","date_gmt":"2017-05-16T11:19:36","guid":{"rendered":"https:\/\/www.h-hennes.fr\/blog\/?p=1533"},"modified":"2017-05-16T13:19:36","modified_gmt":"2017-05-16T11:19:36","slug":"detecter-vos-contenus-mixtes-avec-les-csp","status":"publish","type":"post","link":"https:\/\/www.h-hennes.fr\/blog\/2017\/05\/16\/detecter-vos-contenus-mixtes-avec-les-csp\/","title":{"rendered":"D\u00e9tecter vos contenus mixtes avec les CSP"},"content":{"rendered":"

Je continue ma s\u00e9rie d’articles sur le https avec une probl\u00e9matique assez chronophage qui est la d\u00e9tection des contenus mixtes sur une page https.
\nAvec les nouvelles s\u00e9curit\u00e9 des navigateurs si une image , une feuille de style ou un fichier javascript n’est pas appell\u00e9 en https il ne sera pas interpr\u00e9t\u00e9.<\/p>\n

Et donc votre site ne sera pas affich\u00e9 correctement.
\nLa t\u00e2che d’identification de ces contenus est relativement longue et implique de passer sur toutes les pages de votre site si vous souhaitez le faire manuellement.
\nLa bonne nouvelle est que ce n’est pas n\u00e9cessaire \ud83d\ude42<\/p>\n

Avec les headers Content Security Policy ( CSP ) il est possible de d\u00e9tecter automatiquement les \u00e9l\u00e9ments bloquants.
\nMon exemple est relativement basique, pour des informations compl\u00e8tes sur les CSP vous pouvez consulter le site suivant : https:\/\/content-security-policy.com\/<\/a><\/p>\n

Comme le nom ( header ) le d\u00e9fini, nous allons ajouter l’ent\u00eate sp\u00e9cifique \u00e0 notre document.<\/p>\n

Content-Security-Policy-Report-Only \"default-src https:\/\/your-site.com https: 'unsafe-inline';report-uri https:\/\/your-site.com\/csp-https-report.php\"\r\n<\/pre>\n
Celle-ci signifie que nous souhaitons avoir un rapport d’erreur sur l’url https:\/\/your-site.com\/csp-https-report.php, d\u00e8s qu’un m\u00e9dia ( js\/image\/font\/css ) n’est pas appel\u00e9 en https<\/p>\n
Cette ent\u00eate peut \u00eatre rajout\u00e9e de diff\u00e9rente mani\u00e8re<\/p>\n
Apache :<\/strong> dans le fichier htaccess<\/p>\n
 Header set Content-Security-Policy-Report-Only \"default-src https:\/\/your-site.com https: 'unsafe-inline';report-uri https:\/\/your-site.com\/csp-https-report.php\"\r\n<\/pre>\n
Nginx :<\/strong> dans votre fichier de conf<\/p>\n
 add_header Content-Security-Policy-Report-Only \"default-src https:\/\/your-site.com https: 'unsafe-inline';report-uri https:\/\/your-site.com\/csp-https-report.php\";\r\n<\/pre>\n
Directement dans votre document php<\/strong><\/p>\n
 header('Content-Security-Policy-Report-Only \"default-src https:\/\/your-site.com https: 'unsafe-inline';report-uri https:\/\/your-site.com\/csp-https-report.php\";');\r\n<\/pre>\n
Voici \u00e0 pr\u00e9sent le contenu du fichier php qui va traiter ces retours.
\nIl ajoute tout simplement les erreurs dans un fichier de log, qui vous permettra de corriger les erreurs.<\/p>\n
 <?php\r\n$data = file_get_contents('php:\/\/input');\r\nif ($data = json_decode($data, true)) {\r\n\u00a0\u00a0 \/\/On mets les r\u00e9sultats dans un fichiers de log\r\n\u00a0\u00a0 $fp = fopen('https-errors.log','a+');\r\n\u00a0\u00a0 fputs($fp,date(\"Y-m-d H:i:s\").' Erreur https '.$data['csp-report']['blocked-uri'].' - source '.$data['csp-report']['document-uri'].\"\\n\");\r\n\u00a0  fclose($fp);\r\n}\r\n?> \r\n<\/pre>\n
En consultant ce fichier de log, vous pourrez donc identifier facilement les \u00e9l\u00e9ments qui posent probl\u00e8me ! \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"
Je continue ma s\u00e9rie d’articles sur le https avec une probl\u00e9matique assez chronophage qui est la d\u00e9tection des contenus mixtes sur une page https. Avec les nouvelles s\u00e9curit\u00e9 des navigateurs si une image , une feuille de style ou un fichier javascript n’est pas appell\u00e9 en https il ne sera pas interpr\u00e9t\u00e9. Et donc votre […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[6],"tags":[489,488,487,418],"class_list":["post-1533","post","type-post","status-publish","format-standard","hentry","category-trucs-et-astuces","tag-content-security-policy","tag-csp","tag-header","tag-https"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\t