I have an express app which is loading some external assets, but they're getting blocked by CSP. I've never had this issue before, but this is the first time im using passport.js and helmet.js within an app so maybe this has something to do with their configuration?
Refused to load the image 'https://fake-url.com' because it violates the following Content Security Policy directive: "img-src 'self' data:".
I've tried adding a meta tag to allow images from external sources but this seems to have no effect. Any help would be appreciated.
You have
content="default-src 'none'
This prevents loading resources from any source. Remove it.
Then change it to:
default-src 'self' fake-url.com';
More info bout the HTTP Content-Security-Policy response header below:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
https://content-security-policy.com/
Related
I'm working on an app which is using dhtmlxSuite 4.2 and I was working on refactoring our code base in order to support Content Security Policy. For now, we are removing the 'unsafe-inline' and we are using a nonce to secure inline scripts.
Could you please provide some information regarding dhtmlx suite 4.2, does it support CSP and if yes, how can I configure it to support CSP using nonce? I was looking over internet but I'm not able to find any relevant documentation for this version.
Our script-src directive in CSP header is:
script-src 'self' 'strict-dynamic' 'unsafe-eval' 'nonce-r4nd0m'
I'm using the following line to add the dhtmlx .js files to the code:
<script nonce="r4nd0m" src="/dhtmlx/dhtmlxWindows/codebase/dhtmlxwindows.js">
The nonce and src values are not relevant, I've added them just for this example.
Currently the following error shows in browser:
`[Report Only] Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'strict-dynamic' 'unsafe-eval' 'nonce-xk0G314zlbshNaCyRmCZfqZNr3N8EEG3ZYSUkRvnfSs=
dhtmlXCellObject._detachObject|#|dhtmlxcontainer.js:1010
dhtmlXCellObject.unloadView|#|dhtmlxcontainer.js:356
dhtmlXCellObject._unload|#|dhtmlxcontainer.js:547
dhtmlXWindows._winClose|#|dhtmlxwindows.js:874
dhtmlXWindows._winButtonClick|#|dhtmlxwindows.js:1719
dhtmlXWindows._winMouseDownHandler|#|dhtmlxwindows.js:998
obj.callEvent|#|VM2422 dhtmlxcommon.js:929
_winOnMouseDown|#|dhtmlxwindows.js:259`
My understanding is that dhtmlx in creating some inline events causing to be non compliant with CSP.
I'm expecting to find a way to have dhtmlx suite 4.2 compliant with CSP filter.
Below is some some extract from the dhtmlx code base where from he stack trace:
enter image description here
enter image description here
Thank you!
I am not able to load a video on my site which I am trying to load from Google Cloud:
In my Node.js server, I have the following to redirect the URL, after checking for its match:
if (url == "targetUrl") { //the URL I am trying to match
res.writeHead(301, {
Location: 'https://storage.googleapis.com/myCloudFolder/someVideo.mp4'
}).end();
}
My Content Security Policy for media-src is set in the header as:
"media-src 'self' https://storage.googleapis.com/myCloudFolder blob:;
I get the following errors in the browser's console when the video is loaded:
Refused to load media from '<URL>' because it violates the following Content Security Policy directive: "media-src 'self' <URL> blob:".
abc.def.com/:1 Refused to load media from 'https://storage.googleapis.com/myCloudFolder/someVideo.mp4'
because it violates the following Content Security Policy directive:
"media-src 'self' http://storage.googleapis.com/myCloudFolder blob:".
On the video element itself, the error displayed is:
The media could not be loaded, either because the server or network failed or because the format is not supported.
In the media-src, I tried by dropping the scheme (https://) as well as by using http, but the error persists.
My question is: What should I set the media-src to, to load the video from https://storage.googleapis.com/myCloudFolder
Your content-security policy should be
media-src 'self' https://storage.googleapis.com/myCloudFolder/ blob:
The trailing slash after myCloudFolder is needed to match all files in that folder. Without the trailing slash only the exact path is matched. See here.
I cannot succeed in including Vue 3 in a simple Chrome extension. I created a local folder within the extension with the
following structure and content
but I always get the following error message when I try to lead the library from any extension's pages:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem:". Either the 'unsafe-inline' keyword, a hash ('sha256-NEG1aW1******'), or a nonce ('nonce-...') is required to enable inline execution.
I don't understand the issue. Any other library that I bundle directly inside the extension has always worked just fine, but this is not happening with Vue.
Does anyone have any idea?
Thanks!
I have ASP.NET Core application and i am using Telerik's UI for ASP.NET Core framework for certain widgets like Date, DropDownList, Charts etc.
Application is loading all javascripts, images, css from its own server. So i have enabled CSP policy as below
script-src 'self' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self' data:;
font-src 'self';
media-src 'none';
object-src 'none';
child-src https://xxxx.yyyy.com;
report-uri http://myapplication/csp/report;
However when the page load i see error in chrome's console
Refused to execute inline script because it violates the following
Content Security Policy directive: "script-src 'self' 'unsafe-eval'".
Either the 'unsafe-inline' keyword, a hash
('sha256-oii70XYoqukWS9204nbwatxgYOYcr06+rftc4egdfUk='), or a nonce
('nonce-...') is required to enable inline execution
this error is repeated for several Kendo widgets that i'm using on that page. For example date widget. In cshtml i have configured date as below
#(Html.Kendo().DatePicker()
.Name("sbDate")
.HtmlAttributes(new { #class = "mydate" }))
which gets render in html as
<input class="mydate" id="sbDate" name="sbDate" type="date" value="" /><script>jQuery(function(){jQuery("#sbDate").kendoDatePicker({"format":"M/d/yyyy","footer":false});});</script>
I have already gone through Telerik's suggestion here and here for CSP. And as per the suggestion i only i have to add unsafe-eval to get widgets working. However looks like that is not true. I also have to add unsafe-inline to get widgets working.
But the whole point of enabling CSP is to not allow inline scripts.
Questions
Is there any way to solve this issue?
Update 1
Widgets only works in IE 11 without adding unsafe-inline. In chrome and IE edge widget requires unsafe-inline to work.
The solution below might work (i have not tried yet)
1> Add Deferred method for each kendo widget. Like
#(Html.Kendo().DatePicker().Name("BeginDate").Deferred())
2> In each view that is using Kendo control, at the bottom add the script tag
<script asp-add-nonce="true">
#Html.Kendo().DeferredScripts(false)
</script>
Note that asp-add-nonce is not out of the box from asp.core. You have to install Joonasw.AspNetCore.SecurityHeaders nuget library. I found this article from the author that shows how to configure CSP for .net core application and also how to generate new nonce for each request.
3>Dont configure CSP policy in web.config because we need different nonce value for each request, instead configure the CSP policy using Joonasw.AspNetCore.SecurityHeaders middleware as mentioned in the article.
4>I thinks we don't need to add unsafe-inline if we use random nonce (unless you are targeting to older browsers)
I can't really tell if this would solve your issue, but in our Application, we are using the Deferring feature, but for other reasons. Our reason is that we load all scripts (esp. jquery.js) at the end of the page. But the side effect is that no jQuery script calls are rendered into the page anymore. You can control the place to generate all scripts by executing #Html.Kendo().DeferredScripts() (but you will find more help in the docs above). Anyway, probably in the context of CSP, even that <script> block at the very end of the page is still considered "inline". But give it a try.
The Zemanta Chrome Extension fails to load with the following error message
loader.js:13 Refused to load the script 'https://static.zemanta.com/widgets/blogger.com/merged-blogger.js?v=1451290656'
because it violates the following Content Security Policy directive:
"script-src 'self' *.google.com *.google-analytics.com 'unsafe-inline'
'unsafe-eval' *.gstatic.com *.googlesyndication.com *.blogger.com
*.googleapis.com uds.googleusercontent.com https://s.ytimg.com
www-onepick-opensocial.googleusercontent.com www-bloggervideo-opensocial.googleusercontent.com
www-blogger-opensocial.googleusercontent.com *.blogspot.com https://www.blogblog.com".
I have changed the content_securiy_policy line to the following, and reload the extension
"content_security_policy": "script-src 'self' https://ssl.google-analytics.com https://*.zemanta.com; object-src 'self'"
Why is it that "https://*.zemanta.com" is not listed in the CSP directive in the error message above, and how can I make sure it is in the CSP?
It looks like an error thrown by a webpage with its own CSP, not inside your extension. So the CSP you set there has no effect.
It probably happens as a result of a content script trying to insert <script src="..."> into the page. That's subject to the page's CSP and can fail.
You can try to bypass the page's CSP by loading the script with XHR and inserting a <script> tag with the code included instead of src link. Note that this may fail at a later stage, since while the script will be executed this way, it will be subject to CSP in its own actions (so if it, say, tries to add a <script> tag as well, it will fail).
Alternatively, you could use webRequest API to intercept and modify the CSP header. That's risky since you're loosening the page's security in general.