Google console in tests via Firebase Robo test shows an exception.
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src https://abs.twimg.com https://abs-0.twimg.com https://twitter.com https://mobile.twitter.com"
but in setting of WebView settings JS is enabled.
WebSettings settings = webview.getSettings();
settings.setJavaScriptEnabled(true);
webview.setWebChromeClient(new WebChromeClient());
settings.setSupportMultipleWindows(true);
settings.setDomStorageEnabled(true);
the same exception if put in the header
headers.put("Content-Security-Policy", "script-src 'self' 'unsafe-inline' 'unsafe-eval'");
Related
When making a http request to "https://example.com/api" - the console throws an error
Refused to connect to...because it violates the following Content Security Policy directive: "connect-src http://localhost:*...
How can I resolve this error?
To make 3rd party API requests in your UI extension you mus specify the endpoints to be allowlisted in your "content_security_policy": { "connect-src": [] }
You can use the Stripe CLI to grant the URL permission:
stripe apps grant url "https://*.api.example.com/path/" "Send data to example service..."
For full reference, see the Stripe Apps docs.
When I add new server to a nestjs DocumentBuilder .addServer('http://localhost:7071') it thows a permission error when I try to execute routes at generated swagger page.
At the browser console it thows this error:
Refused to connect to 'http://localhost:7071/api/session/signin' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to connect to 'http://localhost:7071/api/session/signin' because it violates the document's Content Security Policy.
I already enable cors at the nestjs app with no luck!
app.enableCors();
Maybe I'm missing some security policy at the DocumentBuilder? Something like .addSecurity()? If it is the case How can I add this security policy?
This error is caused by wrong CORS config. To fix it:
Update swagger by adding :
.addServer('http://localhost:3000')
Add origin in CORS config (the address you're using) :
app.enableCors({origin: 'http://localhost:3000'});
i'm trying use google drive API quickstart project inside electron. here's my sample project:
electron quickstart with google api
how it should works:
when click authorize button, it'll redirected to authUrl then we can copy the authorization key, insert the authorization key page to input with id 'key'
when i run from electron,its return following error:
D:\koding\electron-example\gdrive\node_modules\gaxios\build\src\gaxios.js:68 Refused to connect to 'https://oauth2.googleapis.com/token' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
how to resolve this?
answered from this post refused-to-load-the-script-because-it-violates-the-following-content-security
we need to specify which kind of address that will allowed by content security
I use Fetch API (Javascript) in a Chrome Extension to retrieve a .json from my server.
The request can't be submitted due to Chrome CORS - Preflight Error <- Error Screenshot
How can I enable CORS when my client is a Chrome Extension?
You need to request the cross-origin permission for your server's host.
Add your server's host to your manifest.json permissions field:
{
"name": "...",
...
"permissions": [
...,
"https://yourserver.com/"
],
...
}
You can add multiple hosts in permissions field, so you can enable cross-origin permission for all the hosts you need.
I have an Owin WebAPI2 .NET app that I host on an AppService in Azure.
I want to add CORS support using Azure as in this article. It seems simple, you just add an Origin site to the list like this: http://screencast.com/t/r2ATq4u5
I would now expect the Response headers to contain this allowed Origin.
However, the CORS headers are not included in the Response Headers when I check it with Fiddler:
http://corstestqm.azurewebsites.net/breeze/restaurantsbreeze/basictest
Steps I have tried:
Stripped out all CORS Nuget libraries from my solution and all traces of CORS code in my API project.
Deployed to a brand new AppService
Enabled Owin Cors AllowAll
None of these had any effect. (ie. the Response does not contain the CORS header specified in Azure).
Am I missing something really basic here?
UPDATE
I simplified the problem even more:
In VS2015, I created a new API project and pushed it to http://corstestbasicap2.azurewebsites.net/api/values/
with no changes (ie. it should NOT have CORS enabled).
I then use Test-Cors tool to hit that API. It does not get a CORS error as expected. I then go into Azure and add a dummy URL (e.g http://www.example.com) and try the CORS test again. It should fail as Azure should only let example.com through. However, it works fine.
I then edit CORS again in Azure and add http://www.test-cors.org below http://www.example.com (so it should let either through) and now the headers return Access-Control-Allow-Origin:http://www.test-cors.org as expected.
But this makes no sense? Surely the previous call should fail when "http://www.test-cors.org" was NOT in the allowed Origins? It does not seem to be doing anything useful?!
You can achieve these by adding in your web.config bellow configuration:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*"/>
<add name="Access-Control-Allow-Headers" value="Origin, X-Requested-With, Content-Type, Accept,Authorization"/>
<add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS"/>
</customHeaders>
</httpProtocol>
</system.webServer>
In global.asax:
protected void Application_BeginRequest()
{
if (Request.Headers.AllKeys.Contains("Origin") && Request.HttpMethod == "OPTIONS")
{
Response.Flush();
}
}
If you want control from portal, please view bellow image:
Note, according with App Service CORS documentation you can not use both Web API CORS and App Service CORS in one API app. You have to clean your project about Web API CORS
Don't try to use both Web API CORS and App Service CORS in one API
app. App Service CORS will take precedence and Web API CORS will have
no effect. For example, if you enable one origin domain in App
Service, and enable all origin domains in your Web API code, your
Azure API app will only accept calls from the domain you specified in
Azure.
My problem was that I accidentally put http instead of https into Azure AD B2C custom page config blade ... After change to https it works like a charm.
CORS headers missing when deployed on Azure Web App / Azure API