Strapi Application.
I am getting this issue on opening admin panel content manager for every content type
Unsupported protocol /content-manager/content-types/api:"
Please tell me where is that coming from I need to make it correct
Also getting this error
Refused to execute inline script because it violates the following Content Security Policy directive: “script-src ‘self’”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-rwMOiOeVICH7/Cjy5SkreID3OOi5HTrit357k22hUDQ=’), or a nonce (‘nonce-…’) is required to enable inline execution.
Related
sorry for bad description. I have an app that works fine on localhost and test server. On the machine that has connection to test server when I try to access the app via server's IP and port I can access the app too. But with a rerouting that points to my apps test server IP and port I get below 2 errors in a script that I use from a different host. Test server doesn't has outside connection allowed but related script host has been allowed. I have tried adding CSP headers to ISS but it didn't work. How can I resolve this issue or how can I get more details about it. Any help would appreciated. Thank you.
1st error:
Refused to create a worker from
'blob:https://redirecteddomain.com/04891805-36bb-45f7-a4e9-7cb58f25a3bf'
because it violates the following Content Security Policy directive:
"default-src https: data: 'unsafe-inline' 'unsafe-eval'". Note that
'worker-src' was not explicitly set, so 'default-src' is used as a
fallback.
2nd error:
Uncaught DOMException: Failed to construct 'Worker': Access to the
script at
'blob:https://redirecteddomain.com/04891805-36bb-45f7-a4e9-7cb58f25a3bf'
is denied by the document's Content Security Policy.
Script that got the error:
<script src="https://scriptsource.com/script.php?lang=en"></script>
Due to privacy issues domain names are replaced.
Update: So I have tried to download and use the script locally and there were couple of API calls in the javascript file and it gave the same error again.
Update-2: I have checked through the script file and found the lines that are causing the issue, I have added "default-src 'self' 'unsafe-inline'; worker-src blob:;" meta header but still get the same error
const e=window.URL||window.webkitURL,n=new
Blob(['importScripts("'+Dt.faceworker+"?v="+t.replace(/\./g,"")+'");'],
{type:"application/javascript"}),o=e.createObjectURL(n);
Wt=new Worker(o)
The CSP on your page doesn't allow "blob:". Adding another CSP in a meta tag can only impose restrictions, it can't change the other CSP that is likely there and served in a response header. You will likely need to modify the original CSP adding blob: to default-src or worker-src.
Ok, im just lost. I opened an electron start app and added one simple code, to console log on button press. The function is in a file renderer.js and in being called in in my index.html. Why when I press the button
I get this message ....
Refused to execute inline event handler because it violates the following Content
Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a
hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
Why would I not be allowed to execute something inline? An external source seems more vulnerable. Can anyone clear this up for me please?
Content Security Policy is using to avoid XSS based attacks in browser.In electron the background is running in a chrome engine, so the code is actullay running in a chromium browser.This browser is prone to all security issues that a browser is having
What is Content-Security-Policy?
Content-Security-Policy is the name of a HTTP response header that modern browsers use to enhance the security of the document (or web page). The Content-Security-Policy header allows you to restrict how resources such as JavaScript, CSS, or pretty much anything that the browser loads.
you can add the following code at the top of HTML to avoid the content security issue. this new header will allow the inline code to execute
<meta http-equiv="Content-Security-Policy" content="script-src 'self';">
What this meta tag will do ?
Allows
With the above CSP policy, the following are allowed to load and execute in the browser:
<!-- allowed by 'self' -->
<script src="/js/some-file.js"></script>
<!-- allowed by https://js.example.com -->
<script src="https://js.example.com/file.js"></script>
Blocks
The Example Policy above will block the following from loading or executing in the browser:
<script src="https://attacker.example.com/file.js"></script>
I'm working on a Javascript App food2fork. But I get an error when AJAX call API promise fulfilled and render the results (Recipes). But when I click one of them it moves to the next page and say
Cannot GET /47746
and give an error on the console
Refused to load the image 'http://localhost:8080/favicon.ico' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback".
How to get rid of this kind of error?
This is because a Content Security Policy (CSP) header is set somewhere in your application.
Content Security Policy (CSP) is an added layer of security that helps
to detect and mitigate certain types of attacks, including Cross Site
Scripting (XSS) and data injection attacks./.../
A CSP compatible browser will then only execute scripts loaded in
source files received from those allowlisted domains, ignoring all
other script (including inline scripts and event-handling HTML
attributes).
As an ultimate form of protection, sites that want to never allow
scripts to be executed can opt to globally disallow script execution. [edit: hence the "default-src 'none'" policy]
More on CSP: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
You can create a CSP with online tools, like
https://report-uri.com/home/generate
https://www.cspisawesome.com
A CSP with "default-src 'none'" means that nothing can be displayed/run on your domain - you have to "whitelist" the services/content that you allow (default-src is a fallback for other resource types that do not have policies of their own, so you have it set like none, then you have to add sources that are explicitly allowed).
A policy is described using a series of policy directives, each of
which describes the policy for a certain resource type or policy area.
WHAT YOU CAN DO
In your case, you may need a policy something like:
"default-src 'none'; img-src 'self'".
I'm pretty sure though, that as you go forward you'll need more rules, so check out the sources and the online CSP generators, so you won't have a hard time.
OR you may
Remove the CSP (not advised - it's a security measure)
For development purposes, you may set Content-Security-Policy-Report-Only (this way the CSP does not stop your content to be displayed/run, but shows "what would have been done, if not set to only to report the problems". Don't forget to handle this in production environment!)
REFERENCE
CSP reference: https://content-security-policy.com
More on CSP: https://scotthelme.co.uk/content-security-policy-an-introduction/
I try to parse some site and execute script in Cordova InAppBrowser's method executeScript on iOS and return some result in callback function, but get this error:
Refused to load gap-iab://InAppBrowser1249228873/%5Bnull%5D because it does not appear in the frame-src directive of the Content Security Policy.
I understand, that gap-iab:// scheme should be included to Content Security Policy in <meta> tag, but code is executing not on my site and I don't have access to it.
Can anyone suggest a decision to resolve this problem?
P.S. On Android executeScript works perfectly.
You could use nginx to proxy the HTML page you are trying to load. You'd set up nginx to proxy the site you are loading in the InAppBrowser, and use the add-header to add a Content-Security-Policy in the response with "'default-src' gap: gap-iab:"
The one issue you may have is if the original server already includes a strict Content-Security-Policy, because the strictest content-security-policy will get applied.
I keep getting this error in my Console when I run reCaptcha V3:
recaptcha__en.js:310 [Report Only] Refused to create a worker from 'https://www.google.com/recaptcha/api2/webworker.js?hl=en&v=v1548052318968' because it violates the following Content Security Policy directive: "worker-src 'none'".
The script runs ok, but it keeps looking for the worker and I have no clue where to fix this. Is this a common issue or is it something I missed in the documentation?
It seems you have a property in your HTTP header that modify Content-Security-Policy.
Can you inspect your HTTP header on the page and see if you have : 'worker-src 'none'' somewhere ?
This property disallow all the web workers in your page, you can modify it to allow sources, see more in the MDN documentation :
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src