sorry for bad description. I have an app that works fine on localhost and test server. On the machine that has connection to test server when I try to access the app via server's IP and port I can access the app too. But with a rerouting that points to my apps test server IP and port I get below 2 errors in a script that I use from a different host. Test server doesn't has outside connection allowed but related script host has been allowed. I have tried adding CSP headers to ISS but it didn't work. How can I resolve this issue or how can I get more details about it. Any help would appreciated. Thank you.
1st error:
Refused to create a worker from
'blob:https://redirecteddomain.com/04891805-36bb-45f7-a4e9-7cb58f25a3bf'
because it violates the following Content Security Policy directive:
"default-src https: data: 'unsafe-inline' 'unsafe-eval'". Note that
'worker-src' was not explicitly set, so 'default-src' is used as a
fallback.
2nd error:
Uncaught DOMException: Failed to construct 'Worker': Access to the
script at
'blob:https://redirecteddomain.com/04891805-36bb-45f7-a4e9-7cb58f25a3bf'
is denied by the document's Content Security Policy.
Script that got the error:
<script src="https://scriptsource.com/script.php?lang=en"></script>
Due to privacy issues domain names are replaced.
Update: So I have tried to download and use the script locally and there were couple of API calls in the javascript file and it gave the same error again.
Update-2: I have checked through the script file and found the lines that are causing the issue, I have added "default-src 'self' 'unsafe-inline'; worker-src blob:;" meta header but still get the same error
const e=window.URL||window.webkitURL,n=new
Blob(['importScripts("'+Dt.faceworker+"?v="+t.replace(/\./g,"")+'");'],
{type:"application/javascript"}),o=e.createObjectURL(n);
Wt=new Worker(o)
The CSP on your page doesn't allow "blob:". Adding another CSP in a meta tag can only impose restrictions, it can't change the other CSP that is likely there and served in a response header. You will likely need to modify the original CSP adding blob: to default-src or worker-src.
Related
I want to access a website using javascript. but I am getting the following error in the console.
Refused to connect to 'https://example.com' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
I have added the following meta tag in the index.html,
meta http-equiv="Content-Security-Policy" content="connect-src 'self' http://example.com;" />
Isn't this the right way to add CSP? please help.
You already have one CSP published with the default-src 'self' policy. Quite possible it was done via HTTP header.
Check the Helmet middleware settings in case of NodeJS server, or Header set in the .htaccess file in case on Apache server. In case of Nginx it can be add_header in the config.
By adding <meta> tag you just publish a second CSP, which does not overrides the first one. 2 CSPs works subsequently - all sources should pass both CSP.
Figure out where CSP is publushed and add connect-src 'self' http://example.com; there.
I've just updated the Content-Security-Policy settings in the Web.Config file and added the Application Insights JavaScript snippet in my _Layout.cshtml.
Here is what the Content-Security-Policy in the Web.config looks like.
script-src-elem
'self'
'unsafe-inline'
'unsafe-eval'
https://az416426.vo.msecnd.net/scripts/b/ai.2.min.js
*.mymapjs.com
script-src
'self'
'unsafe-inline'
'unsafe-eval'
https://az416426.vo.msecnd.net/scripts/b/ai.2.min.js
*.mymapjs.com
mymapjs.com is not longer working properly, my maps aren't showing up, and my browser is upset with me yelling at me in red letters with the error:
Access to XMLHttpRequest at 'mymapjs.com' from origin 'mywebsite.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
When I remove the https://az416426.vo.msecnd.net/scripts/b/ai.2.min.js url from the Web.config Content-Security-Policy I get the warning:
Refused to load the script 'https://az416426.vo.msecnd.net/scripts/b/ai.2.min.js' because it violates the following Content Security Policy directive: "script-src-elem 'self' 'unsafe-inline' 'unsafe-eval' https://*.mymapjs.com use.other.net use.other.net/ https://myfont.net/it.js
It turns out I enabled the enableCorsCorrelation = true in the Application Insights configuration.
So then I tried updating the correlationHeaderExcludedDomains values with a wild card value for the mymapjs.com.
correlationHeaderExcludedDomains:
[
'myapp.azurewebsites.net',
'*.queue.core.windows.net',
'*.mymapjs.com'
]
The wild card alone didn't work. I had to strictly type the JS libraries urls AND have the wildcard for it to work properly. It wants the scripts that are directly being requested from the _Layout.cshtml as well as the ones generated from the JS libraries.
correlationHeaderExcludedDomains:
[
'myapp.azurewebsites.net',
'*.queue.core.windows.net',
'*.mymapjs.com'
'https://mymapjs.com-core-events.js'
'https://mymapjs.com-services.js'
'https://mymapjs.com-ui-services.js'
]
If anyone else gets caught up figuring this out, I hope this helps.
I'm write an external script for a single web page and i need to make one POST JSON request to another resource through this script.
However, when i do, it throws CSP error: "Refused to connect to <URL> because it violates the following Content Security Policy directive: "connect-src 'self'".
I looked into the web page and see meta tag which contain a Content-Security-Policy with CSP content. However, i tried manually add my <URL> to CSP connect-src content, but it is still not working.
Questions:
can i change CSP through the external script? How?
maybe any workaround for this?
The error message is saying the setting that needs to be changed:
it violates the following Content Security Policy directive: "connect-src 'self'"
So you need to set the 'connect-src' directive to something other than 'self', which might have been set by default.
You said you tried to add the URL that you're trying to connect to. That is not quite right - you need to add just the host part, rather than any of the path.
So the connect-src part of the CSP header should look like:
connect-src 'self' https://*.example.com
If you update your question with what you tried, if it still isn't working, the exact error could be diagnosed.
I'm building a SPA using oidc-client to sign in to an IDP built using Identity Server 4.
The login redirections seems to work fine but on Firefox I'm getting the following CSP issues
Content Security Policy: Ignoring "'unsafe-inline'" within script-src or style-src: nonce-source or hash-source specified (unknown)
Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src 'unsafe-inline' 'sha256-VDXN0nOpFPQ102CIVz+eimHA5e+wTeoUUQj5ZYbtn8w='"). Source: !function(t){function __webpack_require_.... checksession:1
Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src 'unsafe-inline' 'sha256-VDXN0nOpFPQ102CIVz+eimHA5e+wTeoUUQj5ZYbtn8w='"). Source: window.devToolsOptions = Object.assign(w.... checksession:1
Load denied by X-Frame-Options: http://localhost:5007/home/error?errorId=a74accc61bb821ee1f42f7013a306e90 does not permit cross-origin framing. (unknown)
I'm not setting any CSP meta tags on my SPA and I'm wondering if I have to.
Digging a little bit it seems that oidc-client is adding an iframe into my application which points to the checksession page in Identity Server (which does include the CSP header "default-src 'none'; script-src 'unsafe-inline' 'sha256-VDXN0nOpFPQ102CIVz+eimHA5e+wTeoUUQj5ZYbtn8w='")
Can someone help me solving this or lead me into the right direction? My knowledge about CSP is very basic.
It was the Redux devtools addon trying to inject their code on the page.
In my project I have made my connections runs over https. but I don't know why the following issue arises?
[Report Only] Refused to load the image 'https://domain:3000/assets/loading.gif' because it violates the following Content Security Policy directive: "img-src data:".
home:1
Check out point Nr.3 at http://people.mozilla.org/~bsterne/content-security-policy/details.html.
It seems like you will have to send your pages with a header containing X-Content-Security-Policy: allow 'self'; img-src data:. That should do the job.
You have (your web browser has) a "Content Security Policy" which restricts the source of images to "data". That is, like this:
src = 'data:image/gif;base64,R0lGODlhCwALAIAAAAAA3pn/ZiH5BAEAAAEALAAAAAALAAsAAAIUhA+hkcuO4lmNVindo7qyrIXiGBYAOw=='
If you want to load images from 'domain' you will need to adjust your CSP to allow this. More info on CSP here: https://developer.mozilla.org/en-US/docs/Web/Security/CSP