Content Security Policy removes header background image


I am using Shapely with great pleasure, on my website
I am using a parallax on the front page, with a nice picture of the earth seen from outer space.
But if I enable a Content Security Policy (CSP) in my .htaccess, the background image is not being displayed.
Even if the CSP is allowing everything - like this:
Header set Content-Security-Policy “default-src *; script-src *; style-src *; img-src *; connect-src *; font-src *; object-src *; media-src *; frame-src *; sandbox *; report-uri *; child-src *; form-action *; frame-ancestors *; plugin-types *; base-uri *; report-to *; worker-src *; manifest-src *; prefetch-src *; navigate-to *;”

What can I do to enable a CSP and also my background picture?


Albert van Harten

Hey there

Well, what can I say about it, it’s not theme related error, most probably you are not properly using CSP, to be honest, I don’t know it very well ti review your rules in the policy, but the fact is that is not working, try to research your question in the net for more details

You were totally right. “Enable everything” with a wildcard in the CSP does not … enable everything. I had to specify data: in the CSP line.

If others have the same problem: this did the trick for me:

Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data:"

Wow, nice to hear :slight_smile:
and thank you for sharing the solution with others

Have a great day