When I add new server to a nestjs DocumentBuilder .addServer('http://localhost:7071') it thows a permission error when I try to execute routes at generated swagger page.
At the browser console it thows this error:
Refused to connect to 'http://localhost:7071/api/session/signin' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to connect to 'http://localhost:7071/api/session/signin' because it violates the document's Content Security Policy.
I already enable cors at the nestjs app with no luck!
app.enableCors();
Maybe I'm missing some security policy at the DocumentBuilder? Something like .addSecurity()? If it is the case How can I add this security policy?
This error is caused by wrong CORS config. To fix it:
Update swagger by adding :
.addServer('http://localhost:3000')
Add origin in CORS config (the address you're using) :
app.enableCors({origin: 'http://localhost:3000'});
Related
When making a http request to "https://example.com/api" - the console throws an error
Refused to connect to...because it violates the following Content Security Policy directive: "connect-src http://localhost:*...
How can I resolve this error?
To make 3rd party API requests in your UI extension you mus specify the endpoints to be allowlisted in your "content_security_policy": { "connect-src": [] }
You can use the Stripe CLI to grant the URL permission:
stripe apps grant url "https://*.api.example.com/path/" "Send data to example service..."
For full reference, see the Stripe Apps docs.
I have my front-end hosted on Vercel and my back-end hosted on Heroku. Both have a custom domain, where the domain of the server is a subdomain (front-end: "example.me", back-end: "api.example.me"), and both have a valid SSL certificate (chained with intermediate certificates up to a root CA). The back-end, written with node.js/express, is set up with CORS parameters origin which points to the URL of the front-end and the credentials set to true. For example the CORS setup looks like this:
app.use(
cors({
origin: 'example.me',
credentials: true,
})
)
I have also tried setting the CORS origin to 'https://example.me', 'www.example.me',... and variations like that, but that produced the same response.
I am trying to fetch a resource from my back-end by calling api.example.me/me from my front-end. The request returns an error code 503, with the following errors in the browser's console:
[Error] Origin https://www.example.me is not allowed by Access-Control-Allow-Origin.
[Error] XMLHttpRequest cannot load https://api.example.me/me due to access control checks.
[Error] Failed to load resource: Origin https://www.example.me is not allowed by Access-Control-Allow-Origin. (me, line 0)
[Error] Unhandled Promise Rejection: Error: Network Error
After trying to manually set the Access-Control-Allow-Origin header via response.header() to both the front-end URL and then even to * the back-end became completely unresponsive.
I also tried verifying that the full chain of certificates is being loaded when accessing the back-end using
openssl s_client -connect api.example.me:443 -servername api.example.me -showcerts and it shows all the certificates.
I am looking for Integration of DocuSignApi with Angular. I am following these steps.
Angular Application
Backend Server using .net core Web API to handle and DocuSign api using nuget.
Can I achieve this?
Option 1 - Angular application - will hit - login method of middleware api application - middleware will communicate - docusign - after successful it will share details of logged in users.
Option 2 - Angular application - directly hit to docusign methods for this When I am doing like this
var url = "https://account-d.docusign.com/oauth/auth?response_type=token&scope=signature&client_id=XXXXXXXXXXXXXXX-01caXXXXXXXX&state=a39fh23hnf23&redirect_uri=http://localhost:81/";
return this._dataService.getThirdParty1(url, header)
.pipe(map((response: Response) => {
return response;
}));
- public getThirdParty(url) {
return this._httpClient.get( url).pipe().pipe(map(this.handleResponse)).pipe(catchError(this.handleError.bind(this)));
}
I am getting error
Access to XMLHttpRequest at 'https://account-d.docusign.com/oauth/auth?response_type=token&scope=signature&client_id=XXXXXXXXXXXXXXX-01ca8f1b220&state=a39fh23hnf23&redirect_uri=http://localhost:81/' from origin 'http://localhost:81' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.
account-d.docusign.com/oauth/auth?response_type=token&scope=signature&client_id=XXXXXXXXXX-411a-9bb9-01ca8f1b220&state=a39fh23hnf23&redirect_uri=http://localhost:81/:1 Failed to load resource: net::ERR_FAILED
Please provide a way to check these options.
First, your issue is that you are making client-side calls to DocuSign from a different domain which validated CORS policy which is a security concern.
(Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading of resources. CORS also relies on a mechanism by which browsers make a "preflight" request to the server hosting the cross-origin resource, in order to check that the server will permit the actual request. In that preflight, the browser sends headers that indicate the HTTP method and headers that will be used in the actual request.)
Larry wrote extensively on this topic and here are some of the resources that can help.
Here is a three part series on the topic - https://www.docusign.com/blog/dsdev-building-single-page-applications-with-docusign-and-cors-part-1
Here is his code in GitHub showing you how to create a CORS gateway - https://github.com/docusign/blog-create-a-CORS-gateway
One other useful resource - https://www.cdata.com/kb/tech/docusign-odata-angularjs.rst
i'm trying use google drive API quickstart project inside electron. here's my sample project:
electron quickstart with google api
how it should works:
when click authorize button, it'll redirected to authUrl then we can copy the authorization key, insert the authorization key page to input with id 'key'
when i run from electron,its return following error:
D:\koding\electron-example\gdrive\node_modules\gaxios\build\src\gaxios.js:68 Refused to connect to 'https://oauth2.googleapis.com/token' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
how to resolve this?
answered from this post refused-to-load-the-script-because-it-violates-the-following-content-security
we need to specify which kind of address that will allowed by content security
I am trying to use passport to authenticate with Facebook but it is returning an error:
XMLHttpRequest cannot load https://www.facebook.com/v2.2/dialog/oauth?response_type=code&redirect_uri=…%2Fapi%2Fauth%2Ffacebook%2Fcallback&scope=email&client_id=1504988306431596. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access.
How can I fix this?
In my opinion the problem is that you have not set the app domain on the facebook API. Go to https://developers.facebook.com/apps/{your app ID}/settings/ and set "localhost" on the field "App domains" for it to work. Have you already done that?