Geoserver is getting blocked by Content Security Policy - linux

I have installed GeoServer on my linux machine and is running behind Nginx proxy. GeoServer web interface is working fine. But when I try to create a new store, it is not working. When I click on the "browse" button a modal is opened. That is when the error message is printed on to the console, which says
CSP error
Wicket.Ajax: Wicket.Ajax.Call.processEvaluation: Exception evaluating javascript: EvalError: call to eval() blocked by CSP, text: (function(){var e =
What to add to my content security policy to get this to work? I have added my domain here as well. But that did not work either.
Here is my CSP:
add_header Content-Security-Policy "base-uri 'self'; default-src 'self'; img-src https 'self' https://amazon-bucket.s3.eu-west-2.amazonaws.com/ data:; object-src 'none'; require-trusted-types-for 'script'; script-src 'unsafe-inline' 'self' https://cdnjs.cloudflare.com https://unpkg.com; style-src 'unsafe-inline' 'self' https://fonts.googleapis.com https://fonts.gstatic.com https://cdnjs.cloudflare.com https://unpkg.com; font-src 'unsafe-inline' 'self' https://cdnjs.cloudflare.com https://fonts.googleapis.com https://fonts.gstatic.com https://unpkg.com";
UPDATE:
I noticed this TrustedHTML assignment error on chrome
This document requires 'TrustedHTML' assignment.
TrustedHTML assignment error

For the first error you'll need to add 'unsafe-eval' to script-src. But note that for each 'unsafe-*' you add the value of your CSP decreases.
TrustedHTML doesn't allow setting innerHTML, use textContent instead if you are setting unformatted text. Otherwise you should be using DOMPurify or some other methods ensure that html is trusted.

Related

Content security policy including a gumroad script

I am developing a website with Wordpress that includes a Gumroad script, in the console it throws the following error:
extended_bundle-2dd0f46384e8ed974d932b1190b99d42941abe18a7b69f4e8bd492fa0a309a13.js:1 Refused to connect to 'https://stats.g.doubleclick.net/j/collect?t=dc&aip=1&_r=3&v=1&_v=j87&tid=UA-29108090-1&cid=256380548.1611057176&jid=2069832337&gjid=1027868402&_gid=88988440.1611562559&_u=SCCAiEADRAAAAE~&z=875389156' because it violates the following Content Security Policy directive: "connect-src 'self' bam.nr-data.net www.dropbox.com s3.amazonaws.com/gumroad s3.amazonaws.com/gumroad/ www.google.com www.gstatic.com *.facebook.com *.facebook.net files.gumroad.com/ d1bdh6c3ceakz5.cloudfront.net/ *.braintreegateway.com www.paypalobjects.com *.paypal.com *.braintree-api.com iframe.ly gumroad.com".
I tried to fix it by putting the info in the meta, but I'm sure I'm wrong. what is the best solution to fix this? (I have never faced this problem before).
<meta http-equiv="Content-Security-Policy" content="default-src https 'self'; child-src * data: blob:; connect-src 'self' bam.nr-data.net www.dropbox.com s3.amazonaws.com/gumroad s3.amazonaws.com/gumroad/ www.google.com www.gstatic.com *.facebook.com *.facebook.net files.gumroad.com/ d1bdh6c3ceakz5.cloudfront.net/ *.braintreegateway.com www.paypalobjects.com *.paypal.com *.braintree-api.com iframe.ly gumroad.com; font-src * data: blob:; frame-src * data: blob:; img-src * data: blob:; media-src * data: blob:; object-src * data: blob:; script-src 'self' 'unsafe-eval' ajax.cloudflare.com static.cloudflareinsights.com js.stripe.com api.stripe.com *.braintreegateway.com *.braintree-api.com www.paypalobjects.com *.paypal.com www.google-analytics.com *.g.doubleclick.net optimize.google.com www.googleadservices.com www.google.com www.gstatic.com *.facebook.net *.facebook.com *.newrelic.com *.nr-data.net www.dropbox.com s.ytimg.com *.jwpcdn.com content.jwplatform.com/libraries/3vz4Z4wu.js *.jwpsrv.com blob: 'self' data: gumroad.us3.list-manage.com analytics.twitter.com 'sha256-VM/GRb7zfHAoT0vOuAlUed7we+jp8z0wsVKkGxFFsqI=' gumroad.com assets.gumroad.com; style-src 'self' 'unsafe-inline' s.ytimg.com ssl.p.jwpcdn.com optimize.google.com assets.gumroad.com; worker-src * data: blob:">
I tried to fix it by putting the info in the meta, but I'm sure I'm wrong.
To fix the issue you have to add https://stats.g.doubleclick.net host-source to connect-src directive.
It's 2 ways to publish CSP:
via meta tag <meta http-equiv="Content-Security-Policy" content="...">
via HTTP header "Content-Security-Policy: ..."
Avoid to use both ways at the same time - in case of 2 CSPs the rules will join with logical "AND" and you'll failed to get expected result.
Therefore you need to know in which way your Wordpress publish the CSP, and then to add the https://stats.g.doubleclick.net into meta OR into HTTP-header respectively.
Typically WP uses plugins to publish CSP. It can also be published in the .htaccess file.
Note 1: the console error you described could be not yours if you use iframe with third-party content (some external widgets, Google auth etc.). Because browser use one console to display CSP violations in any iframes.
Moreover, you could have installed some browsers plugins which tries to modify the viewed page. This can cause CSP violations too.
But lookes like it's caused by Google Adsense you place in web page. `https://stats.g.doubleclick.net. is used to collect stat of Google Ads.

How do I allow a iframe with a content security policy (CSP)

I am setting up a content security policy (CSP)for my website. I have been using it for a few websites for the last weeks without any issue. External scripts and various other things I have successfully integrated.
Today though I wanted to integrate a third part calendar booking system (Calendly). They use an iframe for the popup and for the life of me I can not get it accepted on the security policy.
I keep getting this error
"refused to frame 'url-to-calendly' because it violates the following content security policy directive: "frame-src" ...
I have tired adding this to the frame-src component
frame-src https://assets.calendly.com;
frame-src 'self' https://assets.calendly.com;
frame-src 'self' https://assets.calendly.com 'unsafe-inline';
frame-src https://assets.calendly.com 'nonce-lots-of-digits';
frame-src 'self' https://assets.calendly.com 'nonce-lots-of-digits';
I did the same under the child-src directive as well. Since frame-src is no longer used in version two. Again this did not work either. Here is my full CSP. Any help here would be greatly appreciated - thank you. Ps. I was using chrome dev tools. It appeared to neither work in Safari either.
Content-Security-Policy:
script-src 'nonce-4dfb7738f82d40efc1b73a80491d6dd0bb839173' 'unsafe-inline'; object-src 'none';
default-src 'nonce-77184b203c574dfd8ecc7fac417bf078242d4657';
img-src 'self' https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net;
style-src 'self' https://assets.calendly.com;
font-src 'self';
connect-src 'self' https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net;
base-uri 'none';
child-src https://assets.calendly.com;
frame-src https://assets.calendly.com;
To make Calendly work on your website you need to add following CSP rules:
frame-src https://calendly.com;
script-src https://assets.calendly.com;
style-src 'unsafe-inline';
So actually the answer turned out to be very simple. I contacted calendly directly and the simple solution was to change the url I added. https://calendly.com was enough to do the trick.
So the url you gave #andrii was correct - thank you. However using ‘unsafe-inline’ is not advisable. Using that on any of the sources makes your CSP almost pointless having.
You can use like this:
<meta http-equiv="Content-Security-Policy" content="default-src 'self' ;
img-src 'self' 'unsafe-inline'
https://www.google.com/;
style-src 'self' 'unsafe-inline'
https://fonts.googleapis.com ;
script-src 'self' 'unsafe-inline'
https://www.google-analytics.com
https://www.torrentpower.com;
connect-src 'self'
https://google.com/
https://www.google-analytics.com;
child-src 'self' https://www.google.com/;
object-src 'self';">

Content Security Policy ignored by Latest Chrome Update

My CSP policy is being ignored by the latest version of Chrome. I decided today to recreate the policy to try debug why, but as you can see from the error below, Chrome is advising me to add a hash that is already in the CSP (see sha256-idz8mDU5fJ8lJuEwY6hbkXVde/nqBBjQE/u5rxw1HUk=):
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' https://pro.fontawesome.com/ 'sha256-LpfmXS+4ZtL2uPRZgkoR29Ghbxcfime/CsD/4w5VujE=' 'sha256-F+21FF3QOEHS5CNuMQEs3Q+LB0uULZF9DODEYnH/mMQ=' 'sha256-5uIP+HBVRu0WW8ep6d6+YVfhgkl0AcIabZrBS5JJAzs=' 'sha256-nK6A3vwzvwoN92MnHZrWtylYkYmW1jCQgTqWKQJNBMI=' 'sha256-idz8mDU5fJ8lJuEwY6hbkXVde/nqBBjQE/u5rxw1HUk='". Either the 'unsafe-inline' keyword, a hash ('sha256-idz8mDU5fJ8lJuEwY6hbkXVde/nqBBjQE/u5rxw1HUk='), or a nonce ('nonce-...') is required to enable inline execution.
This is working correctly in Firefox and Safari, so I'm thinking that there is something in my policy that is causing Chrome to stop reading values?
The content of my .htaccess file is:
Header set Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self' https://pro.fontawesome.com/; frame-src 'self'; img-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' https://pro.fontawesome.com/ 'sha256-LpfmXS+4ZtL2uPRZgkoR29Ghbxcfime/CsD/4w5VujE=' 'sha256-F+21FF3QOEHS5CNuMQEs3Q+LB0uULZF9DODEYnH/mMQ=' 'sha256-5uIP+HBVRu0WW8ep6d6+YVfhgkl0AcIabZrBS5JJAzs=' 'sha256-nK6A3vwzvwoN92MnHZrWtylYkYmW1jCQgTqWKQJNBMI=' 'sha256-idz8mDU5fJ8lJuEwY6hbkXVde/nqBBjQE/u5rxw1HUk=';"
Any advise is greatly appreciated.
I think this resource answers your question:
https://bugs.chromium.org/p/chromium/issues/detail?id=546106
The styles being blocked in the examples are styles in a style
attribute, Chrome only applies styles in style attributes when
'unsafe-inline' is set in 'style-src'. Safari behaves similarly but
Firefox does apply the styles if they match a hash in 'style-src'.
The CSP specification defines the hash and nonce exceptions only for
the and elements, not for the style and script
attributes so Chrome's behaviour seems to follow the spec. But the
error message generated in the console is incorrect (and confusing).
By the looks of it Chrome is following the CSP specification. I was facing the same issue with inline styles and seeing the same response as you, matching sha256 hashes! My solution has been to remove my inline styles and add them into my CSS to avoid inline styles completely.
While the console logged:
Refused to apply inline style because it violates the following
Content Security Policy directive: "style-src 'self'
'sha256-tLBf5MoZ1LfLjLmXgREJmfznfoX6mUwoWQJnC30N6JI='. Either the
'unsafe-inline' keyword, a hash
('sha256-tLBf5MoZ1LfLjLmXgREJmfznfoX6mUwoWQJnC30N6JI='), or a nonce
('nonce-...') is required to enable inline execution.
The solution would be to add 'unsafe-hashes', like so: style-src 'self' 'unsafe-hashes' 'sha256-tLBf5MoZ1LfLjLmXgREJmfznfoX6mUwoWQJnC30N6JI='.
See the 'unsafe-hashes' directive: https://w3c.github.io/webappsec-csp/#unsafe-hashes-usage

Content security policy causes error in Liferay 7 project

As part of new security requirement from the client I have added "Content Security Policy" in my Liferay application:
response.setHeader(
"Content-Security-Policy",
"default-src 'none'; script-src 'unsafe-inline' *.googleapis.com; style-src 'self' *.googleapis.com;font-src 'self' *.gstatic.com;connect-src ; img-src 'self' data:;base-uri 'none';frame-ancestors 'none';");
But I am getting below error
Refused to load the script 'http://localhost:8080/o/js_loader_modules?t=1536146336645' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline' *.googleapis.com".
Local server up and running localhost:8080. How to solve this?
It looks like CSP blocks your own script from loading and only allows inline <script> tags from googleapis.com. You should try adding 'self' to your CSP rules, because it means you can use scripts from your own domain.
script-src 'self' 'unsafe-inline' *.googleapis.com;

Google fonts blocked by Content Security Policy

Hi i have some content security policy like this:
<meta http-equiv="content-security-policy" content="default-src 'self';
script-src 'self' 'nonce-MhqUJrKKq9' https://ajax.googleapis.com/ajax/libs/webfont/1.6.16/webfont.js;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/; font-src 'self' https://fonts.gstatic.com/;
object-src 'none'; base-uri 'none';">
I was try to allow a google fonts, but it give me this error:
webfont.js:17 Refused to load the stylesheet 'http://fonts.googleapis.com/css?family=Poppins:300,400,500,600,700%7CRoboto:300,400,500,600,700' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/".
so what can caused this error? i though i already exclude it from my policy.
Try google fonts without https , http://fonts.googleapis.com/css?family=Poppins:300,400,500,600,700%7CRoboto:300,400,500,600,700%27

Resources