I am trying to use Electron Updater with a GitLab Private Repository.
Main Electron File (partial):
autoUpdater.requestHeaders = { 'PRIVATE-TOKEN': process.env.VUE_APP_GITLABSECRET }
autoUpdater.autoDownload = true
autoUpdater.setFeedURL({
provider: 'generic',
url: 'https://gitlab.com/SmellydogCoding/mchd-electronic-field-guide/-/jobs/artifacts/master/raw/dist_electron?job=build'
})
autoUpdater.on('checking-for-update', function () {
console.log('Checking for update...')
})
When I start the app I get this error message:
Error: Error: Cannot parse update info from latest.yml in the latest release artifacts (https://gitlab.com/SmellydogCoding/mchd-electronic-field-guide/-/jobs/artifacts/master/raw/dist_electron/latest.yml?job=build): YAMLException: end of the stream or a document separator is expected at line 3, column 17:
<head prefix="og: http://ogp.me/ns#">
What is happening is that the server is responding with a string of HTML, which is the Gitlab login page.
If I curl
--header 'PRIVATE-TOKEN': 'mygitlabprivatetoken' https://gitlab.com/SmellydogCoding/mchd-electronic-field-guide/-/jobs/artifacts/master/raw/dist_electron/latest.yml?job=build
The server returns:
Header
HTTP/1.1 302 Found
Server: nginx
Date: Tue, 19 Mar 2019 17:57:21 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 98
Cache-Control: no-cache
Location: https://gitlab.com/users/sign_in
Set-Cookie: _gitlab_session=da00cbc69f2d50ea4192f4e3002f84a9; path=/; secure; HttpOnly
X-Request-Id: dGkxtbboHy7
X-Runtime: 0.049129
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: object-src 'none'; worker-src https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net https://gitlab.com blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com; style-src 'self' 'unsafe-inline' https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net; img-src * data: blob:; frame-src 'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://*.codesandbox.io; frame-ancestors 'self'; connect-src 'self' https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net wss://gitlab.com https://sentry.gitlab.net https://customers.gitlab.com https://snowplow.trx.gitlab.net
Body
<html><body>You are being redirected.</body></html>
It seems like i'm not authenticating properly. I'm really not sure what i'm doing incorrectly.
Related
I wonder when i request a url for example :
and inspect with dev tool i can see a custom header response value set by the application ,
x-powered-by: streamA
cache-control: public, max-age=1800
content-encoding: gzip
content-type: text/html; charset=utf-8
date: Thu, 28 Jul 2022 17:43:47 GMT
expect-ct: enforce; max-age=86400; report-uri=https://3697d3b054cce6a97c9c759c82571b41.report-uri.com/r/d/ct/enforce
feature-policy: autoplay 'none'; encrypted-media 'none'; microphone 'none'; midi 'none'; payment 'none'; vr 'none'; ambient-light-sensor 'none'; magnetometer 'none'; picture-in-picture 'none'; sync-xhr 'none'; usb 'none';
referrer-policy: no-referrer-when-downgrade
server: istio-envoy
vary: Accept-Encoding
via: 1.1 df153902fc47e450893ee30df220e710.cloudfront.net (CloudFront)
x-amz-cf-id: BMXC92lZlNdehRGC3hc_b9_ANQc8-M8aKFaaz8pwLx3HGpc2Ls5tHw==
x-amz-cf-pop: DUB56-P1
x-cache: RefreshHit from cloudfront
x-content-type-options: nosniff
x-envoy-upstream-service-time: 337
x-pf-trace-id: 8589755742930307890
**x-powered-by: StreamA**
x-xss-protection: 1; mode=block
when i curl the same url in the output i dont see the customer header response value ,
i used curl --head http://urlhere
what did i missed here in curl to miss the custom header
I'm trying to use an inline script in my project, and I keep getting this error:
'Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-hyQXPyDjuL7UGCz8hPIbJ2ZzKwE8uqNzvUJB9/9T6jc='), or a nonce ('nonce-...') is required to enable inline execution.'
I've viewed a bunch of other similar questions on here and they all say it has to do with a meta tag and to include something like this:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'" />
but that doesn't make a difference, I've removed all the meta tags from my <head> and I still get the same error. where could this issue possibly be coming from other than the
<head> ? ive created my project with the express-generator but i cant find anything CSP in any of my files.
I'm completely lost on what's blocking the inline scripts, if I can provide any code please let me know but seeing as I have no idea what's causing it, i dont know what code to provide
The CSP directive is not set in meta tag but in HTTP header.
Sice you marked the question with node.js and express tags, here's an example setting the CSP header in express:
const express = require("express");
const app = express();
const port = 8080;
app.get("/", (req, res) => {
res
.set("Content-Security-Policy", "default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'")
.send("<html><head></head><body></body></html>");
})
app.listen(port, () => {
console.log("Listening on port %s", port);
});
Then you can see the CSP in the response headers:
curl -v http://localhost:8080
* Rebuilt URL to: http://localhost:8080/
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
> GET / HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.53.1
> Accept: */*
>
< HTTP/1.1 200 OK
< X-Powered-By: Express
< Content-Security-Policy: default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'
< Content-Type: text/html; charset=utf-8
< Content-Length: 39
< ETag: W/"27-ghawzGh2y9RPAcFY59/zgzzszUE"
< Date: Tue, 17 Nov 2020 00:01:04 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
<
* Connection #0 to host localhost left intact
<html><head></head><body></body></html>
The problem for me was the cheerio version. From 1.0.0-rc.12 to 1.0.0-rc.5 and worked fine after.
I use python requests to capture a website's http headers. For example, this is a response header:
{'Connection': 'keep-alive',
'Access-Control-Allow-Origin': '*', 'cache-control': 'max-age=600',
'Content-Type': 'text/html; charset=utf-8', 'Expires': 'Fri, 19 Apr
2019 03:16:28 GMT', 'Via': '1.1 varnish, 1.1 varnish', 'X-ESI': 'on',
'Verso': 'false', 'Accept-Ranges': 'none', 'Date': 'Fri, 19 Apr 2019
03:11:12 GMT', 'Age': '283', 'Set-Cookie':
'CN_xid=08f66bff-4001-4173-b4e2-71ac31bb58d7; Expires=Wed, 16 Oct 2019
03:11:12 GMT; path=/;, xid1=1; Expires=Fri, 19 Apr 2019 03:11:27 GMT;
path=/;, verso_bucket=281; Expires=Sat, 18 Apr 2020 03:11:12 GMT;
path=/;', 'X-Served-By': 'cache-iad2133-IAD, cache-gru17122-GRU',
'X-Cache': 'HIT, MISS', 'X-Cache-Hits': '1, 0', 'X-Timer':
'S1555643472.999490,VS0,VE302', 'Content-Security-Policy':
"default-src https: data: 'unsafe-inline' 'unsafe-eval'; child-src
https: data: blob:; connect-src https: data: blob:; font-src https:
data:; img-src https: data: blob:; media-src https: data: blob:;
object-src https:; script-src https: data: blob: 'unsafe-inline'
'unsafe-eval'; style-src https: 'unsafe-inline';
block-all-mixed-content; upgrade-insecure-requests; report-uri
https://l.com/csp/gq",
'X-Fastly-Device-Detect': 'desktop', 'Strict-Transport-Security':
'max-age=7776000; preload', 'Vary': 'Accept-Encoding, Verso,
Accept-Encoding', 'content-encoding': 'gzip', 'transfer-encoding':
'chunked'}
I noted that from several examples I tested, the headers I receive from requests are formatted as 'key':'value' (plz note the single colons surrounding the key and the value). However, when I check the headers from the Firefox-> Web developer -> Inspector, and choose to view the header in raw format, I do not see commas:
HTTP/2.0 200 OK date: Thu, 09 May 2019 18:49:07 GMT expires: -1
cache-control: private, max-age=0 content-type: text/html;
charset=UTF-8 strict-transport-security: max-age=31536000
content-encoding: br server: gws content-length: 55844
x-xss-protection: 0 x-frame-options: SAMEORIGIN set-cookie:
1P_JAR=2019-05-09-18; expires=Sat, 08-Jun-2019 18:49:07 GMT; path=/;
domain=.google.com alt-svc: quic=":443"; ma=2592000; v="46,44,43,39"
X-Firefox-Spdy: h2
I need to know: Does python's requests module always adds single colons? This important from me as I need to include/exclude them in my regex that is used to analyze the headers.
The issue I think you are running into is the request coming back as a dict instead of a value as firefox inspector is giving you. When you do this you could be getting mixed results if one of the value pairs has a numeric or boolean value so when doing your regex you may want to use a Try/Except if you can remove the exterior apostrophes or just use the value given.
It's not the requests module that's adding the colons. Request represents headers as a dict, but you seem to be treating them as a string. When Python converts dicts to strings, they get the colons, the commas, the quotation marks.
The right fix for your program is probably to treat the dictionary as a dictionary, not convert it into a string. But if you really want the headers in string form, you should consider using different tool, such as curl.
I upgraded my Identityserver 4 to version 1.5.1 and now have content security policy errors.None of the solutions presribed so far has worked for me
I tried this
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline' https://ajax.aspnetcdn.com/ajax/bootstrap/3.3.6/css/bootstrap.min.css; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ajax.aspnetcdn.com/ajax/jquery/jquery-2.2.0.min.js https://ajax.aspnetcdn.com/ajax/jquery.validate/1.14.0/jquery.validate.min.js">
but nothing worthwhile is happening
In the IdentityServer4 Samples, the class SecurityHeadersAttribute.cs is responsible for sending the right CSP headers. You should only add the domain name:
var csp = "default-src 'self';" +
"img-src * 'self' data: https:;" +
"style-src 'self' ajax.aspnetcdn.com;" +
"font-src 'self' ajax.aspnetcdn.com;" +
"script-src 'self' ajax.aspnetcdn.com;"
// once for standards compliant browsers
if (!context.HttpContext.Response.Headers.ContainsKey("Content-Security-Policy"))
{
context.HttpContext.Response.Headers.Add("Content-Security-Policy", csp);
}
// and once again for IE
if (!context.HttpContext.Response.Headers.ContainsKey("X-Content-Security-Policy"))
{
context.HttpContext.Response.Headers.Add("X-Content-Security-Policy", csp);
}
For the context I'm trying to update a file through the GitHub API.
Everything was fine until I tried to update the reference.
According to the doc, below are the requests I forged and their returns.
If anyone has an idea, I did find nothing to make it work.
$ curl -i -XPATCH -d '{"sha": "69d0a253406585d8faf616ce3ae0ff2453b346d7"}' -H "Authorization: token AUTH-TOKEN" https://api.github.com/repos/Trax-air/TraxIT/git/refs/heads/ci-migrate-quay
HTTP/1.1 422 Unprocessable Entity
Server: GitHub.com
Date: Wed, 18 Nov 2015 14:08:49 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 128
Status: 422 Unprocessable Entity
X-RateLimit-Limit: 5000
X-RateLimit-Remaining: 4948
X-RateLimit-Reset: 1447856141
X-OAuth-Scopes: gist, read:repo_hook, repo, user
X-Accepted-OAuth-Scopes:
X-GitHub-Media-Type: github.v3
X-XSS-Protection: 1; mode=block
X-Frame-Options: deny
Content-Security-Policy: default-src 'none'
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: ETag, Link, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval
Access-Control-Allow-Origin: *
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Content-Type-Options: nosniff
X-GitHub-Request-Id: 4EC2914C:94AC:15486DB6:564C8671
{
"message": "Object does not exist",
"documentation_url": "https://developer.github.com/v3/git/refs/#update-a-reference"
}
I tried to update the reference by itself, it worked:
$ curl -i -XPATCH -d '{"sha": "694973310d80edfe9ca08bd2fd5a06a6407b08ad"}' -H "Authorization: token AUTH-TOKEN" https://api.github.com/repos/Trax-air/TraxIT/git/refs/heads/ci-migrate-quay
HTTP/1.1 200 OK
Server: GitHub.com
Date: Wed, 18 Nov 2015 14:10:20 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 337
Status: 200 OK
X-RateLimit-Limit: 5000
X-RateLimit-Remaining: 4947
X-RateLimit-Reset: 1447856141
Cache-Control: private, max-age=60, s-maxage=60
ETag: "25641a46e3d517196995aec80669dcd2"
X-OAuth-Scopes: gist, read:repo_hook, repo, user
X-Accepted-OAuth-Scopes:
Vary: Accept, Authorization, Cookie, X-GitHub-OTP
X-GitHub-Media-Type: github.v3
X-XSS-Protection: 1; mode=block
X-Frame-Options: deny
Content-Security-Policy: default-src 'none'
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: ETag, Link, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval
Access-Control-Allow-Origin: *
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Content-Type-Options: nosniff
Vary: Accept-Encoding
X-Served-By: c6c65e5196703428e7641f7d1e9bc353
X-GitHub-Request-Id: 4EC2914C:94AB:F33F280:564C86CC
{
"ref": "refs/heads/ci-migrate-quay",
"url": "https://api.github.com/repos/Trax-air/TraxIT/git/refs/heads/ci-migrate-quay",
"object": {
"sha": "694973310d80edfe9ca08bd2fd5a06a6407b08ad",
"type": "commit",
"url": "https://api.github.com/repos/Trax-air/TraxIT/git/commits/694973310d80edfe9ca08bd2fd5a06a6407b08ad"
}
}
I then tried to confirm my commit exist:
$curl -i -XGET -H "Authorization: token AUTH-TOKEN" https://api.github.com/repos/Trax-air/TraxIT/git/commits/69d0a253406585d8faf616ce3ae0ff2453b346d7
HTTP/1.1 200 OK
Server: GitHub.com
Date: Wed, 18 Nov 2015 14:03:29 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 1028
Status: 200 OK
X-RateLimit-Limit: 5000
X-RateLimit-Remaining: 4950
X-RateLimit-Reset: 1447856141
Cache-Control: private, max-age=60, s-maxage=60
Last-Modified: Wed, 18 Nov 2015 11:58:58 GMT
ETag: "4823502d472e3b3fe873841fcd60d3c6"
X-OAuth-Scopes: gist, read:repo_hook, repo, user
X-Accepted-OAuth-Scopes:
Vary: Accept, Authorization, Cookie, X-GitHub-OTP
X-GitHub-Media-Type: github.v3
X-XSS-Protection: 1; mode=block
X-Frame-Options: deny
Content-Security-Policy: default-src 'none'
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: ETag, Link, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval
Access-Control-Allow-Origin: *
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Content-Type-Options: nosniff
Vary: Accept-Encoding
X-Served-By: 8a5c38021a5cd7cef7b8f49a296fee40
X-GitHub-Request-Id: 4EC2914C:94AA:AE467E1:564C8530
{
"sha": "69d0a253406585d8faf616ce3ae0ff2453b346d7",
"url": "https://api.github.com/repos/Trax-air/TraxIT/git/commits/69d0a253406585d8faf616ce3ae0ff2453b346d7",
"html_url": "https://github.com/Trax-air/TraxIT/commit/69d0a253406585d8faf616ce3ae0ff2453b346d7",
"author": {
"name": "traxbot",
"email": "traxbot#trax-air.com",
"date": "2015-11-18T11:58:58Z"
},
"committer": {
"name": "traxbot",
"email": "traxbot#trax-air.com",
"date": "2015-11-18T11:58:58Z"
},
"tree": {
"sha": "ca47cb13f520913e643b15e6d0776f38ba577091",
"url": "https://api.github.com/repos/Trax-air/TraxIT/git/trees/ca47cb13f520913e643b15e6d0776f38ba577091"
},
"message": "Updated api_gateway to 0.15",
"parents": [
{
"sha": "694973310d80edfe9ca08bd2fd5a06a6407b08ad",
"url": "https://api.github.com/repos/Trax-air/TraxIT/git/commits/694973310d80edfe9ca08bd2fd5a06a6407b08ad",
"html_url": "https://github.com/Trax-air/TraxIT/commit/694973310d80edfe9ca08bd2fd5a06a6407b08ad"
}
]
}
This may be due to caching.
I asked to Github support and here is their answer:
Thanks for reaching out. The commit in question
(69d0a253406585d8faf616ce3ae0ff2453b346d7) doesn't exist in that repository,
so you're not allowed to update the branch to point to it.
As far as I can tell, it did exist in the repository at some point, but was pruned
because it was no longer reachable. I think the API was telling you that it still exists
in the repository due to caching.
I just cleared our caches and I think you should see that it's no longer available
if you try to fetch that commit. I'm sorry for the confusion about that --
I'll ask the team to investigate why this caching problem happened.
This solved it for me:
'{"sha": "new_sha", "force": true }'