I am new to metabase. I have downloaded the metabase source code and hosted it in the Ubuntu 16.04 LTS server.When I am starting the Metabase server with the "lein ring server" command, I get "java.awt.HeadlessException". I have read some where in the github issues only that it can be ignored. Front end is built with "yarn run build-hot" command. When accessing the front end from the browser, I get the following errors
Refused to load the script
'http://locahost:8080/app/dist/vendor.hot.bundle.js?222bfa78ab06d868cbf4'
because it violates the following Content Security Policy directive:
"script-src 'unsafe-inline' 'unsafe-eval' 'self'
https://maps.google.com https://apis.google.com
https://www.google-analytics.com https://*.googleapis.com
*.gstatic.com localhost:8080".
Refused to load the script
'http://locahost:8080/app/dist/app-main.hot.bundle.js?222bfa78ab06d868cbf4'
because it violates the following Content Security Policy directive:
"script-src 'unsafe-inline' 'unsafe-eval' 'self'
https://maps.google.com https://apis.google.com
https://www.google-analytics.com https://*.googleapis.com
*.gstatic.com localhost:8080".
Its seems like CSP issue. U can fix this problem using
<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
<meta http-equiv="Content-Security-Policy" content="default-src 'self' https://www.google.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com; style-src 'unsafe-inline' 'self' https://www.google.com; connect-src 'self' https://api.gole.in;img-src 'self' https://www.google.co.in/ads/ga-audiences; font-src 'self' data: https://fonts.gstatic.com;">
How to allow eval()?
I'm sure many people would say that you don't, since 'eval is evil' and the most likely cause for the impending end of the world. Those people would be wrong. Sure, you can definitely punch major holes into your site's security with eval, but it has perfectly valid use cases. You just have to be smart about using it. You allow it like so:
content="script-src 'unsafe-eval'"
Reference Link : https://content-security-policy.com/
Related
Recently we integrated a third party script Pendo.js for application inspection of end user usability.
To allow this script we have added relevant Content-Security-Policy changes to the Nginx server config file.
The Pendo.js script was injected properly and is performing as expected.
But during the excel file download through an API call we are facing the following error.
CSP Header:
add_header Content-Security-Policy " default-src 'self' https:; script-src-elem 'self' 'unsafe-inline' https://.pendo.io; script-src 'self' https://.pendo.io pendo-io-static.storage.googleapis.com pendo-static-5725335814144000.storage.googleapis.com https://.pendo.io 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://netdna.bootstrapcdn.com .marketmedium.net 'unsafe-inline' https://.pendo.io pendo-static-5725335814144000.storage.googleapis.com; font-src 'self' 'unsafe-eval' https://fonts.gstatic.com https://netdna.bootstrapcdn.com; img-src 'self' data: .marketmedium.net https://.pendo.io pendo-static-5725335814144000.storage.googleapis.com https://.pendo.io 'unsafe-inline' 'unsafe-eval'; object-src 'none'; connect-src .marketmedium.net https://.pendo.io pendo-static-5725335814144000.storage.googleapis.com;frame-ancestors https://.pendo.io; frame-src https://.pendo.io 'unsafe-inline' 'unsafe-eval'; child-src https://*.pendo.io;";
Error:
Refused to frame 'dashboardReportDownload?columnNames%5B0%5D=&columnNames%5B1%5D=copy_deal&columnNames%5B2%5D=deal_name&columnNames%5B3%5D=deal_number&columnNames%5B4%5D=deal_status&columnNames%5B5%5D=organization_name&columnNames%5B6%5D=deal_type_name&columnNames%5B7%5D=edh%23id&columnTexts%5B0%5D=&columnTexts%5B1%5D=Copy&columnTexts%5B2%5D=Deal%20Name&columnTexts%5B3%5D=Deal%20Number&columnTexts%5B4%5D=Status&columnTexts%5B5%5D=Organization&columnTexts%5B6%5D=Deal%20Type&columnTexts%5B7%5D=edh%23id&inClauseFields%5B0%5D=edh%23id&edh%23id%5B0%5D=1091&reportId=61f7d68ea90238841a92a0d0&reportViewName=Deal%20Sheet%20Report&downloadFileType=xlsx' because it violates the following Content Security Policy directive: "frame-src https://.pendo.io".
VM3432:6750 crbug/1173575, non-JS module files deprecated.
Your say your frame-src directive is set to "https://*.pendo.io 'unsafe-inline' 'unsafe-eval'" (saying 'seems' as the * character is removed and causing parts of your question to be in italics). Although the error message says that frame-src is just "https://*.pendo.io". When downloading a frame from an undisclosed source is created.
If you addded frame-src to your policy to support pendo, you are no longer using the fallback to default-src which allows "'self' https:". You have thus moved from accepting all sources for frames to only allowing *.pendo.io. You will need to add the blocked host (potentially 'self') to frame-src.
Error: Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".
The error only shows in other browser and not chrome. I found some answers and they say to add
<meta http-equiv="Content-Security-Policy" content="font-src 'self' 'unsafe-inline' data:; img-src 'self' data:; style-src 'self' 'unsafe-inline' data:; script-src 'unsafe-eval' 'unsafe-inline' data:; default-src 'self' localhost:*">
Reference: Content Security Policy
And after adding the meta tag an error pops up on refresh of the browser including chrome.
Error: Refused to load the script '' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'unsafe-inline' data:". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
Please help.
I found the answer.
The problem was with helmet node module.
When I remove the app.use(helmet()) from my backend, The problem goes away.
If you're also having this error, I replaced the app.use(helmet()) with app.use(
helmet({
contentSecurityPolicy: false,
})
);
Even By using meta tags, It is still showing error and Iframe is not working
<meta http-equiv="Content-Security-Policy" content="
default-src *;
style-src 'self' 'unsafe-inline';
script-src * 'self' https://checkout.stripe.com 'unsafe-inline'
connect-src : * 'self' https://checkout.stripe.com 'unsafe-inline'
frame-src : * 'self' https://checkout.stripe.com 'unsafe-inline'
'unsafe-eval'
;" >
Link reference : https://stripe.com/docs/security/guide#content-security-policy
Error : Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”)
Also I used header() to set this up, but that also didn't worked. Any Help will be appreciated
Your CSP has a lot of errors:
You have missed semicolons ; to separate script-src / connect-src / frame-src directives lists.
: is nor required in the connect-src : * ... and in the frame-src : * ...
Remove 'unsafe-inline' and 'unsafe-eval' from the connect-src and frame-src directives, those are not supported there
The * (asterisk) covers any host-sources like https://checkout.stripe.com and wss://checkout.stripe.com
BUT these are not significant, these just leads the CSP you have really is:
default-src *;
style-src 'self' 'unsafe-inline';
script-src * 'self' 'unsafe-inline' 'unsafe-eval'
This CSP restrict nothing except data:-Urls usage. Therefore the error:
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”)
cannot belong your CSP.
Looks like you already have CSP header published somewhere. Hence second CSP via <meta> or HTTP header does not have effect as expected.
Check what CSP header you really have got in browser, the tutorial is here.
Check web-server config in Nginx for add_header Content-Security-Policy ... or .htaccess file (if Apache) for Header set Content-Security-Policy ... presence.
Or maybe you have installed some plugins for managing CSP headers.
You're missing img-src https://*.stripe.com described in the Stripe documentation.
Also the asterisk character alone doesn't work as "any resource" (example of incorrect use in your code: default-src *). You need to use it as part of the <host-source> (e.g. *.example.com). See MDN docs for more details.
I am making a site that uses webpack.
I am about to launch it and I want to put on addThis share widget. I am adding the addThis code in the index.html right before closing body tag as advised by addThis. Like this:
<!-- Go to www.addthis.com/dashboard to customize your tools -->
<script type="text/javascript"
src="//s7.addthis.com/js/300/addthis_widget.js#pubid=ra-
###MY_NUMBERS###"></script>
</body>
this generates the following error in chrome-inspect console:
Refused to load the script
'http://s7.addthis.com/js/300/addthis_widget.js' because it violates
the following Content Security Policy directive: "script-src 'self'".
I have read up a little on it and it does not seem to work to seperate addThis to another js-file and save that locally to load it to DOM.
I tried add this to my manifest.json:
"content_security_policy": "script-src 'self' http://s7.addthis.com/js/300/addthis_widget.js; object-src 'self'"
No success. Is there a way to override CSP settings to allow for addThis-widget?
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline'
'unsafe-eval' https://*.addthis.com https://addthis.com;child-src 'self' 'unsafe-
inline' 'unsafe-eval' https://*.addthis.com https://addthis.com; object-src 'self'
'unsafe-inline' 'unsafe-eval' https://*.addthis.com https://addthis.com; script-src
'self' 'unsafe-inline' 'unsafe-eval' https://*.addthis.com https://addthis.com; img-src
'self' 'unsafe-inline' 'unsafe-eval' https://*.addthis.com https://addthis.com;">
Adding this to your header will allow the addthis widget to load. Might not be secure, which will defeat the purpose of Content-Security-Policies...
I always set my CSP through the .htaccess if it's available.
Here are some good tips: https://content-security-policy.com/
You're basically there, but unsure how it works with manifest.json.
Try similar in .htaccess:
Header set Content-Security-Policy "default-src 'none'; script-src 'self' http://*.addthis.com
Some things to be aware of with .htaccess files: https://www.digitalocean.com/community/tutorials/how-to-use-the-htaccess-file
Also, using a CSP, you will need to specifiy all the external sources you use basically.
It's worth looking into CSPs in more detail and being aware of all the various sources of images, fonts, etc etc. you use.
Any problems, let me know and I'll expanded further.
I am using CAPTCHA on page load, but it is blocking because of some security reason.
I am facing this problem:
Content Security Policy: The page's settings blocked the loading
of a resource at
http://www.google.com/recaptcha/api.js?onload=myCallBack&render=explicit
("script-src http://test.com:8080 'unsafe-inline' 'unsafe-eval'").
I have used the following JavaScript and meta tag:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'">
<script src="http://www.google.com/recaptcha/api.js?onload=myCallBack&render=explicit" async defer></script>
You have said you can only load scripts from your own site (self). You have then tried to load a script from another site (www.google.com) and, because you've restricted this, you can't. That's the whole point of Content Security Policy (CSP).
You can change your first line to:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://www.google.com">
Or, alternatively, it may be worth removing that line completely until you find out more about CSP. Your current CSP is pretty lax anyway (allowing unsafe-inline, unsafe-eval and a default-src of *), so it is probably not adding too much value, to be honest.
With my ASP.NET Core Angular project running in Visual Studio 2019, sometimes I get this error message in the Firefox console:
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“default-src”).
In Chrome, the error message is instead:
Failed to load resource: the server responded with a status of 404 ()
In my case it had nothing to do with my Content Security Policy, but instead was simply the result of a TypeScript error on my part.
Check your IDE output window for a TypeScript error, like:
> ERROR in src/app/shared/models/person.model.ts(8,20): error TS2304: Cannot find name 'bool'.
>
> i 「wdm」: Failed to compile.
Note: Since this question is the first result on Google for this error message.
I had a similar error type. First, I tried to add the meta tags in the code, but it didn't work.
I found out that on the nginx web server you may have a security setting that may block external code to run:
# Security directives
server_tokens off;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ajax.googleapis.com https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://assets.zendesk.com; font-src 'self' https://fonts.gstatic.com https://themes.googleusercontent.com; frame-src https://player.vimeo.com https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";
Check the Content-Security-Policy. You may need to add the source reference.
I managed to allow all my requisite sites with this header:
header("Content-Security-Policy: default-src *; style-src 'self' 'unsafe-inline'; font-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' stackexchange.com");
add this to nginx directives
http {
# ...
add_header Content-Security-Policy "
default-src 'self' myDomain.com *.myDomain.com;
script-src 'self' myDomain.com *.myDomain.com 'unsafe-inline' tagmanager.google.com www.googletagmanager.com *.googletagmanager.com www.google-analytics.com ssl.google-analytics.com;
style-src 'self' myDomain.com *.myDomain.com 'unsafe-inline' tagmanager.google.com fonts.googleapis.com www.googletagmanager.com *.google-analytics.com *.googletagmanager.com;
img-src 'self' myDomain.com *.myDomain.com 'unsafe-inline' ssl.gstatic.com www.gstatic.com www.google-analytics.com;
font-src 'self' myDomain.com *.myDomain.com 'unsafe-inline' fonts.gstatic.com data;
connect-src 'self' myDomain.com *.myDomain.com 'unsafe-inline' *.google-analytics.com *.analytics.google.com *.googletagmanager.com ww.google-analytics.com;
";
# ...
}
but its for development purposes for production make sure remove all 'unsafe-inline's
You can fix via adding code in htaccess
<IfModule mod_headers.c>
# Feature-Policy
Header set Feature-Policy "microphone 'none'"
# Referrer-Policy
Header set Referrer-Policy "same-origin"
# Content-Security-Policy
Header set Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' e.g. https://ajax.googleapis.com https://ssif1.globalsign.com https://malsup.github.io https://seal.globalsign.com https://www.googletagmanager.com https://www.google.com https://www.gstatic.com https://assets.zendesk.com https://chimpstatic.com https://cdn.ywxi.net https://static.hotjar.com https://maxcdn.bootstrapcdn.com https://www.google-analytics.com https://static.zdassets.com https://connect.facebook.net https://script.hotjar.com https://*.livechatinc.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com https://ajax.googleapis.com;"
# X-XSS-Protection
Header set X-XSS-Protection "1; mode=block"
</IfModule>
!!ONLY FOR DEBUGGING!!
Do this only temporarily if really necessary at all, as this makes your browser vulnerable on all sites!
You can disable them in your browser.
Firefox
Type about:config in the Firefox address bar and find security.csp.enable and set it to false.
Chrome
You can install the extension called Disable Content-Security-Policy to disable CSP.