I am trying to deploy a web application in my local using apache tomcat as a container.
I got a simple page with following in head section:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
<link rel="stylesheet" href="pure-min.css">
<link rel="stylesheet" href="styles.css">
<script src="app.js"></script>
and when I try to open the page on safari 14 I got error
Refused to load http://localhost:8080/webapp/app.js because it does not appear in the script-src directive of the Content Security Policy.
I have read documentation here and it looks like 'self' would be enough to load my own resources (for both css and javascript). What am I doing wrong ?
thanks
It can be 2 issues:
The 'self' token does not cover localhost:8080 (with port number) in Safari. But in this case you should have additionally a 2 CSS blocked, not js only.To fix just add localhost:8080 to the default-src directive.
Your Apache Tomcat server publish a default CSP via HTTP header. In this case you can't mitigate CSP using the meta tag and have to modify CSP response HTTP header.
Check do you have a CSP HTTP header published, tutorial is here.
Is this error observed in Safari browser only? What about Chrome/Firefox?
Related
i want access to this scripts:
<script src="https://js.stripe.com/v3/"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/axios/0.21.1/axios.min.js"></script>
<script src="https://api.mapbox.com/mapbox-gl-js/v2.1.1/mapbox-gl.js"> </script>
and this stylesheet:
<link rel="stylesheet" href="https://api.mapbox.com/mapbox-gl-js/v2.1.1/mapbox-gl.css">
but i have some kind errors like this:
Refused to load the script 'https://js.stripe.com/v3/' because it violates the following Content Security Policy directive: "script-src https://cdnjs.cloudflare.com https://api.mapbox.com 'self' blob:". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
i use meta tag to access all websites with all assets, but doesn't work:
<meta http-equiv="Content-Security-Policy" content="default-src https:">
when I changed the version of my axios it worked for me on that version it is not working. so go to src of your axios file and change it to another version.
I'm trying to embed a page whose Content Security Policy does not seem to be respected in Safari, but does works in Chrome, Firefox, Edge, Brave. The embed looks like this:
<iframe src="https://cloudflare-ipfs.com/ipfs/QmUiDhFZeFnJvHgxGbwPucT8kyZvAzBsFFA12vPNxfsP6u/" sandbox="allow-scripts" />
The embedded page looks like this, and contains a CSP meta tag:
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline';">
<title>test</title>
<meta charset="utf-8">
</head>
<body>
<script src="test.js"></script>
</body>
</html>
The CSP should dictate that the page can load resources from its own origin, as well as inline scripts. However, when I try to load the iframe in Safari, I get an error claiming the path to the script does not match the default-src directive:
Refused to load https://cloudflare-ipfs.com/ipfs/QmUiDhFZeFnJvHgxGbwPucT8kyZvAzBsFFA12vPNxfsP6u/test.js because it appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
The response headers for the embedded page look like this:
headers
Here is a simple jsfiddle demostrating the issue: https://jsfiddle.net/4hLdygm9/1/
Thanks in advance!
UPDATE:
Have open an issue on the Webkit Bugzilla and has been confirmed to be a bug:
https://bugs.webkit.org/show_bug.cgi?id=223848
I've just started seeing this with my embedded youtube videos on Chrome (86.0.4240.193 - recently updated which is probably why I'm just seeing this) - these are 'reports' only, so the videos still show but 100s of errors can't be right! This is what I'm seeing:
[Report Only] Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'strict-dynamic' 'unsafe-inline' https: 'report-sample' 'nonce-t9IE7nI2leo7qKxsm7d80g=='".
Here's my iFrame --
<iframe id="video-iframe" width="500" height="281" src="https://www.youtube.com/embed/HIDDENVIDEO" frameborder="0" allowfullscreen ></iframe>
I cannot figure out what the CSP should be -- here's one that I found that apparently solved their problem --
<iframe id="video-iframe" width="500" height="281" src="https://www.youtube.com/embed/HIDDENVIDEO" frameborder="0" allowfullscreen csp="script-src 'self' https://www.google-analytics.com/ https://www.youtube.com/ https://s.ytimg.com/; object-src 'self'; child-src https://www.youtube.com/* https://s.ytimg.com/"></iframe>
Not so much -- I just see: Refused to display....
Any help much appreciated.
I just checked the developers.google.com/youtube/iframe_api_reference#Examples page and I'm seeing the same thing -- surely this shouldn't be happening, right?
As you can see, this error is triggered not your CPS - your's do not have 'nonce-t9IE7nI2leo7qKxsm7d80g=='" token. This error appears within Google's <iframe> and it's totally Google's internal deal.
The fact is that several previous versions of Chrome had a bug and did not block eval expressions.
In version 86 Chrome, they fixed this bug, and to verify this, they set the Report-Only header and made a fake call to eval to see reports.
CSP for Youtube is very simple and does not require 'unsafe-eval', because all works within isolated iframe:
frame-src youtube.com www.youtube.com; is enough to allow for Youtube in iframe.
By the way, your CSP has an error - the * is not allowed in path-part. And be careful with <iframe csp= - if server does not agree with your CSP, content will be blocked.
But this <iframe csp= played the role because of once more Chrome bug - it ignores Content-Security-Policy-Report-Only if Content-Security-Policy header presence.
I was able to get my embedded videos working using a meta tag in the <head>
<meta http-equiv="Content-Security-Policy"
content="default-src 'self'; img-src https://*; child-src 'none'; frame-src youtube.com https://www.youtube.com;">
add the https:// to www.youtube.com
I create a web browser in python3 with pygobject (gtk3 and webkit2) and I want create a home page include google. I create a html file with a iframe but I see the error :
Refused to display 'https://www.google.com/' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
How I can set X-Frame-Options ? All the solution in the web is a configuration in a local serveur but I don't have local serveur.
Here is my home page
<!DOCTYPE html>
<html>
<head>
<title>(Nouvelle page)</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
</head>
<body>
<iframe src="https://www.google.com/"></iframe>
</body>
</html>
This is not something you can fix locally, unfortunately.
There is a similar question here: https://stackoverflow.com/a/8700754/2773979
The problem isn't that your page is missing that header, it is that Google sets this header precisely to prevent people from embedding the site into an iframe. Browsers comply to this by refusing to load/display the content of the iframe.
Note that there are solutions, like proxying the google page, but those are probably against the terms of service.
What I'm trying to achieve: Both upgrade all HTTP requests within the page to HTTPS and report/log the events.
The server supports both HTTP and HTTPS.
Test HTML page. Note the hardcoded HTTP protocol in <img>
<html>
<head>
</head>
<body>
<img src="http://example.com/testimage.png" />
</body>
</html>
According to the W3C documentation, I set up my .htaccess like this:
Header set Content-Security-Policy "upgrade-insecure-requests; default-src https:"
Header set Content-Security-Policy-Report-Only "default-src https:; report-uri https://report-uri.io/report/..."
When I call https://example.com/testpage.html, it loads the image over HTTPS but doesn't report the event.
What am I missing?
I'm not sure if upgrade-insecure-requests or block-all-mixed-content will generated events because they prevent the bad events from happening in the first place.
I could be wrong about the reasoning, but I do know block-all-mixed-content does not generate violations.
For block-all-mixed-content, it explicitely will not send a report. From https://www.w3.org/TR/mixed-content/#strict-opt-in:
This directive has no effect when monitored. This directive’s only
effect is to set a policy flag on the protected resource; it will
therefore never be violated, and has no reporting requirements.