I'm trying to use an inline script in my project, and I keep getting this error:
'Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-hyQXPyDjuL7UGCz8hPIbJ2ZzKwE8uqNzvUJB9/9T6jc='), or a nonce ('nonce-...') is required to enable inline execution.'
I've viewed a bunch of other similar questions on here and they all say it has to do with a meta tag and to include something like this:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'" />
but that doesn't make a difference, I've removed all the meta tags from my <head> and I still get the same error. where could this issue possibly be coming from other than the
<head> ? ive created my project with the express-generator but i cant find anything CSP in any of my files.
I'm completely lost on what's blocking the inline scripts, if I can provide any code please let me know but seeing as I have no idea what's causing it, i dont know what code to provide
The CSP directive is not set in meta tag but in HTTP header.
Sice you marked the question with node.js and express tags, here's an example setting the CSP header in express:
const express = require("express");
const app = express();
const port = 8080;
app.get("/", (req, res) => {
res
.set("Content-Security-Policy", "default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'")
.send("<html><head></head><body></body></html>");
})
app.listen(port, () => {
console.log("Listening on port %s", port);
});
Then you can see the CSP in the response headers:
curl -v http://localhost:8080
* Rebuilt URL to: http://localhost:8080/
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
> GET / HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.53.1
> Accept: */*
>
< HTTP/1.1 200 OK
< X-Powered-By: Express
< Content-Security-Policy: default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'
< Content-Type: text/html; charset=utf-8
< Content-Length: 39
< ETag: W/"27-ghawzGh2y9RPAcFY59/zgzzszUE"
< Date: Tue, 17 Nov 2020 00:01:04 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
<
* Connection #0 to host localhost left intact
<html><head></head><body></body></html>
The problem for me was the cheerio version. From 1.0.0-rc.12 to 1.0.0-rc.5 and worked fine after.
Related
So, I am trying to obtain images from an API, doing like this:
fetch(callUrl, {method:'GET',
headers: {'Authorization': 'Basic ' + btoa('___')}})
.then(r => r.blob())
.then(bl => {
const imageObjectURL = URL.createObjectURL(bl);
$('<img/>',{src:imageObjectURL})
On IIS, I have :
<system.webServer>
<cors enabled="true">
<add origin="_mysite_"
allowCredentials="true"
maxAge="120">
<allowHeaders allowAllRequestedHeaders="true" />
</add>
</cors>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="default-src 'self' http://mysite:* blob: data:; img-src 'self' http://mysite:* data: http: https: blob:;script-src 'self' 'unsafe-inline' 'unsafe-eval' http://mysite:*;style-src 'self' 'unsafe-inline';frame-src *" />
</customHeaders>
</httpProtocol>
</system.webServer>
Which results in a header being received:
Content-Security-Policy: default-src 'self' http://mysite:* blob: data:; img-src 'self' http://mysite:* data: http: https: blob:;script-src 'self' 'unsafe-inline' 'unsafe-eval' http://mysite:*;style-src 'self' 'unsafe-inline';frame-src *
Nevertheless, Chrome tells me:
Refused to load the image 'blob:http://gdcvmas163/bfece579-fe7c-49f7-99ef-9773b592acd3' because it violates the following Content Security Policy directive: "img-src 'self' data: https:".
Which to me seems like it doesnt read the header at all.
What is going on/ what am I missing?
Try to use below sample setting in your web.config. I know you want use http://mysite:*.
<add name="Content-Security-Policy" value="worker-src blob:; child-src blob: gap:; img-src 'self' blob: data:; default-src * 'self' 'unsafe-inline' 'unsafe-eval' data: gap: content:" />
If it works, it means that the format or writing of our CSP value value is incorrect.
Please comment all the settings about CSP, and we can create a new html for test and add <meta> tag for test, until it works well.
<meta http-equiv="Content-Security-Policy"
content="
worker-src blob:;
child-src blob: gap:;
img-src 'self' blob: data:;
default-src * 'self' 'unsafe-inline' 'unsafe-eval' data: gap: content:">
I am trying to use Electron Updater with a GitLab Private Repository.
Main Electron File (partial):
autoUpdater.requestHeaders = { 'PRIVATE-TOKEN': process.env.VUE_APP_GITLABSECRET }
autoUpdater.autoDownload = true
autoUpdater.setFeedURL({
provider: 'generic',
url: 'https://gitlab.com/SmellydogCoding/mchd-electronic-field-guide/-/jobs/artifacts/master/raw/dist_electron?job=build'
})
autoUpdater.on('checking-for-update', function () {
console.log('Checking for update...')
})
When I start the app I get this error message:
Error: Error: Cannot parse update info from latest.yml in the latest release artifacts (https://gitlab.com/SmellydogCoding/mchd-electronic-field-guide/-/jobs/artifacts/master/raw/dist_electron/latest.yml?job=build): YAMLException: end of the stream or a document separator is expected at line 3, column 17:
<head prefix="og: http://ogp.me/ns#">
What is happening is that the server is responding with a string of HTML, which is the Gitlab login page.
If I curl
--header 'PRIVATE-TOKEN': 'mygitlabprivatetoken' https://gitlab.com/SmellydogCoding/mchd-electronic-field-guide/-/jobs/artifacts/master/raw/dist_electron/latest.yml?job=build
The server returns:
Header
HTTP/1.1 302 Found
Server: nginx
Date: Tue, 19 Mar 2019 17:57:21 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 98
Cache-Control: no-cache
Location: https://gitlab.com/users/sign_in
Set-Cookie: _gitlab_session=da00cbc69f2d50ea4192f4e3002f84a9; path=/; secure; HttpOnly
X-Request-Id: dGkxtbboHy7
X-Runtime: 0.049129
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: object-src 'none'; worker-src https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net https://gitlab.com blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com; style-src 'self' 'unsafe-inline' https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net; img-src * data: blob:; frame-src 'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://*.codesandbox.io; frame-ancestors 'self'; connect-src 'self' https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net wss://gitlab.com https://sentry.gitlab.net https://customers.gitlab.com https://snowplow.trx.gitlab.net
Body
<html><body>You are being redirected.</body></html>
It seems like i'm not authenticating properly. I'm really not sure what i'm doing incorrectly.
To use Google fonts in IdentityServer3, the following Content-Security-Policy never worked:
<meta http-equiv="Content-Security-Policy"
content=" style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
font-src 'self' 'unsafe-inline' https://fonts.gstatic.com data:">
Instead we configured the CspOptions in the idsrvApp.UseIdentityServer constructor which did work:
CspOptions = new CspOptions {
FontSrc = "https://fonts.gstatic.com",
StyleSrc = "https://fonts.googleapis.com",
Enabled = true
}
How can we configure CspOptions in IdentityServer4? I'm having trouble finding it.
For anyone else who gets stuck, the SecurityHeadersAttribute.cs file that comes with the IdentityServer4 quickstart files needs to be modified. Appending the following lines fixed it:
var csp = "default-src 'self'; object-src 'none'; frame-ancestors 'none'; sandbox allow-forms allow-same-origin allow-scripts; base-uri 'self';";
// These two lines enable google fonts
csp += "font-src 'self' https://fonts.gstatic.com;";
csp += "style-src 'self' https://fonts.googleapis.com;";
The file is located in quickstart/SecurityHeadersAttribute.cs
The goal is to setup special rules for svg files,
server {
add_header Content-Security-Policy "default-src 'none'; child-src https://www.youtube.com; font-src 'self' https://fonts.gstatic.com; frame-ancestors 'none'; frame-src https://www.youtube.com; img-src 'self'; media-src 'self'; script-src 'self'; style-src 'self' https://fonts.googleapis.com";
location ~ \.svg$ {
add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'";
}
}
for the 1st rule, we can do
ctx.response.set('Content-Security-Policy', 'default-src ...');
How about the 2nd line for the svg files.
Just use regular expression
const svgPattern = /.+\.svg$/;
if (filename.test(svgPattern)) {
// add required header
}
I upgraded my Identityserver 4 to version 1.5.1 and now have content security policy errors.None of the solutions presribed so far has worked for me
I tried this
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline' https://ajax.aspnetcdn.com/ajax/bootstrap/3.3.6/css/bootstrap.min.css; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ajax.aspnetcdn.com/ajax/jquery/jquery-2.2.0.min.js https://ajax.aspnetcdn.com/ajax/jquery.validate/1.14.0/jquery.validate.min.js">
but nothing worthwhile is happening
In the IdentityServer4 Samples, the class SecurityHeadersAttribute.cs is responsible for sending the right CSP headers. You should only add the domain name:
var csp = "default-src 'self';" +
"img-src * 'self' data: https:;" +
"style-src 'self' ajax.aspnetcdn.com;" +
"font-src 'self' ajax.aspnetcdn.com;" +
"script-src 'self' ajax.aspnetcdn.com;"
// once for standards compliant browsers
if (!context.HttpContext.Response.Headers.ContainsKey("Content-Security-Policy"))
{
context.HttpContext.Response.Headers.Add("Content-Security-Policy", csp);
}
// and once again for IE
if (!context.HttpContext.Response.Headers.ContainsKey("X-Content-Security-Policy"))
{
context.HttpContext.Response.Headers.Add("X-Content-Security-Policy", csp);
}