reCaptcha v3 worker-src none - javascript

I keep getting this error in my Console when I run reCaptcha V3:
recaptcha__en.js:310 [Report Only] Refused to create a worker from 'https://www.google.com/recaptcha/api2/webworker.js?hl=en&v=v1548052318968' because it violates the following Content Security Policy directive: "worker-src 'none'".
The script runs ok, but it keeps looking for the worker and I have no clue where to fix this. Is this a common issue or is it something I missed in the documentation?

It seems you have a property in your HTTP header that modify Content-Security-Policy.
Can you inspect your HTTP header on the page and see if you have : 'worker-src 'none'' somewhere ?
This property disallow all the web workers in your page, you can modify it to allow sources, see more in the MDN documentation :
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src

Related

Content Security Policy violation on external Js Script

sorry for bad description. I have an app that works fine on localhost and test server. On the machine that has connection to test server when I try to access the app via server's IP and port I can access the app too. But with a rerouting that points to my apps test server IP and port I get below 2 errors in a script that I use from a different host. Test server doesn't has outside connection allowed but related script host has been allowed. I have tried adding CSP headers to ISS but it didn't work. How can I resolve this issue or how can I get more details about it. Any help would appreciated. Thank you.
1st error:
Refused to create a worker from
'blob:https://redirecteddomain.com/04891805-36bb-45f7-a4e9-7cb58f25a3bf'
because it violates the following Content Security Policy directive:
"default-src https: data: 'unsafe-inline' 'unsafe-eval'". Note that
'worker-src' was not explicitly set, so 'default-src' is used as a
fallback.
2nd error:
Uncaught DOMException: Failed to construct 'Worker': Access to the
script at
'blob:https://redirecteddomain.com/04891805-36bb-45f7-a4e9-7cb58f25a3bf'
is denied by the document's Content Security Policy.
Script that got the error:
<script src="https://scriptsource.com/script.php?lang=en"></script>
Due to privacy issues domain names are replaced.
Update: So I have tried to download and use the script locally and there were couple of API calls in the javascript file and it gave the same error again.
Update-2: I have checked through the script file and found the lines that are causing the issue, I have added "default-src 'self' 'unsafe-inline'; worker-src blob:;" meta header but still get the same error
const e=window.URL||window.webkitURL,n=new
Blob(['importScripts("'+Dt.faceworker+"?v="+t.replace(/\./g,"")+'");'],
{type:"application/javascript"}),o=e.createObjectURL(n);
Wt=new Worker(o)
The CSP on your page doesn't allow "blob:". Adding another CSP in a meta tag can only impose restrictions, it can't change the other CSP that is likely there and served in a response header. You will likely need to modify the original CSP adding blob: to default-src or worker-src.

Strapi Unsupported protocol issue

Strapi Application.
I am getting this issue on opening admin panel content manager for every content type
Unsupported protocol /content-manager/content-types/api:"
Please tell me where is that coming from I need to make it correct
Also getting this error
Refused to execute inline script because it violates the following Content Security Policy directive: “script-src ‘self’”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-rwMOiOeVICH7/Cjy5SkreID3OOi5HTrit357k22hUDQ=’), or a nonce (‘nonce-…’) is required to enable inline execution.

Cordova InAppBrowser executeScript callback

I try to parse some site and execute script in Cordova InAppBrowser's method executeScript on iOS and return some result in callback function, but get this error:
Refused to load gap-iab://InAppBrowser1249228873/%5Bnull%5D because it does not appear in the frame-src directive of the Content Security Policy.
I understand, that gap-iab:// scheme should be included to Content Security Policy in <meta> tag, but code is executing not on my site and I don't have access to it.
Can anyone suggest a decision to resolve this problem?
P.S. On Android executeScript works perfectly.
You could use nginx to proxy the HTML page you are trying to load. You'd set up nginx to proxy the site you are loading in the InAppBrowser, and use the add-header to add a Content-Security-Policy in the response with "'default-src' gap: gap-iab:"
The one issue you may have is if the original server already includes a strict Content-Security-Policy, because the strictest content-security-policy will get applied.

How to overcome Ajax Content Security Policy directive?

I am injecting some JS code on various websites (using Selenium and Python) to send POST requests to my local web server. On some websites it works fine. But mostly, I don't get the requests. Figured it's because of the Content Security Policy.
For example, when I try to run the code using Console in Chrome on github.com, I get a following error:
Refused to connect to 'http://10.50.50.127:7777/' because it violates
the following Content Security Policy directive: "connect-src 'self'
uploads.github.com status.github.com collector.githubapp.com
api.github.com www.google-analytics.com ...".
My code looks like this:
function sendData() {
var request = new XMLHttpRequest();
request.open('POST', 'http://10.50.50.127:7777', false);
request.send("test");
}
I did some research on my own, and found a possible solution - to use a local proxy server and send data to a relative path like "/test". But it's pretty complicated to write a proxy server from scratch.
So, what can I do to overcome this Content Security Policy?
If your using Chrome and you want to disable Content Security Policy you can also use a plugin called Disable Content-Security-Policy from Chrome Web Store. This is the plugin for Chrome to disable headers.
I inject JS via Tampermonkey (Chrome) and this works fine.
If you controlled over both of sides then you can use.
https://easyxdm.net/wp/
Regards
I figured it! Turns out you can just disable all of the security checks:
chrome_options = webdriver.ChromeOptions()
chrome_options.add_argument('--disable-web-security')
chrome_options.add_argument('--allow-running-insecure-content')
browser = webdriver.Chrome(chrome_options=chrome_options)

REST API Error: Refused to connect to ... because it violates the following Content Security Policy directive:

I am trying to update my status on twitter using the REST API to "Update Status".
I am posting it on Twitter's own site, this is what I'm posting:
$.post("https://api.twitter.com/1.1/statuses/update.json?status=Hello")
However I get the error
Refused to connect to
'https://api.twitter.com/1.1/statuses/update.json?status=Hello'
because it violates the following Content Security Policy directive:
"connect-src graph.facebook.com pay.twitter.com
analytics.twitter.com upload.twitter.com 'self'".
Can anyone help? I'm just finding the twitter tutorial a bit confusing; all I want to accomplish is using an api that can easily send tweets. Do I need to do this in a chrome extension?
You need to add api.twitter.com to your CSP:
<meta http-equiv="Content-Security-Policy"
content="connect-src graph.facebook.com
pay.twitter.com analytics.twitter.com
upload.twitter.com api.twitter.com 'self'">
Not sure exactly what your current content security policy looks like, but the correct domain (api.twitter.com) needs to be added to it. This would be in your index.html, by the way.
If you want to see the docs, I'd check out the ones from MDN "Using Content Security Policy".
Edit
You can change the CSP in the manifest.json (read the docs):
{
...,
"content_security_policy": "[POLICY STRING GOES HERE]"
...
}

Categories