I have just applied a Content Security Policy to my Azure Web App in my development environment and it is working fine.
I can also upload it to my staging site on Azure and it runs fine there and the policy is correctly applied and then enforced by my browser. However, when I do a swap, I get the following error:
Cannot swap slots for site 'MySite' because the worker process in
'staging' slot aborted the warmup request. This may happen if site has
IP Restriction or URL rewrite rules that block HTTP requests.
Here is the policy that I am applying (as defined in my web.config)
<add name="Content-Security-Policy"
value="default-src 'none';
script-src 'self' https: 'unsafe-inline' 'unsafe-eval';
style-src 'self' https: 'unsafe-inline';
img-src 'self' https: 'unsafe-inline' data: blob:;
connect-src 'self' https:;
font-src 'self' https:;
object-src 'none';
media-src 'self';
child-src 'self';
form-action 'self';
frame-ancestors 'none'"/>
What is the problem?
Azure doesn't like the carriage returns in the Content-Security-Policy value in the web.config.
If you examine the web.config using the App Service Editor (that is available through the Azure Portal) then you will see the carriage returns have been encoded and turned into
Creating the following invalid CSP which is why the swap is breaking:
default-src 'none';
script-src 'self' https:
'unsafe-inline' 'unsafe-eval';
style-src 'self' https:
'unsafe-inline';
img-src 'self' https: 'unsafe-inline'
data: blob:;
connect-src 'self' https:;
font-src 'self' https:;
object-src 'none';
media-src 'self';
child-src 'self';
form-action 'self';
frame-ancestors 'none'
In short, we need to enter our CSPs all on one line which reduces the readability but is required for Azure to swap.
Related
This line in manifest 3
"content_security_policy": {
"extension_pages": "script-src 'self'; script-src-elem 'self' https://apis.google.com; object-src 'self';"
},
Gives me error
Refused to load the script 'https://apis.google.com/js/api.js?onload=__iframefcb41660' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
I'm using google api for authentication with firebase. In manifest v2 all was fine.
You cannot use external scripts in manifest V3, everything should be inside the extension.
Try using a fetch() if it's an API endpoint.
I'm creating a web extension and I need to use google recaptcha in it. But when I try to import the library I get an error
Refused to load the script 'https://www.google.com/recaptcha/api.js?onload=onloadcallback&render=explicit' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
I tried to set my script src to authorize request to https://www.google.com
"content_security_policy": {
"extension_pages": "script-src 'self' 'https://www.google.com'; object-src 'self'"
},
but I got an error
'content_security_policy.extension_pages': Insecure CSP value "'https://www.google.com'" in directive 'script-src'.
It is still possible to use external script with manifest v3, and if yes what should I do ?
I am trying to route the data of a Web service having REST API : http://demo.akeneo.com/api/rest/v1/categories
I am using Azure API Management Service for this. I have created an Azure API management service and a Blank API for same. I have created a GET method for this. While testing this API I have I am facing an Error as follows:
HTTP/1.1 401 Unauthorized
cache-control: max-age=0, must-revalidate, no-store, private
content-security-policy: default-src 'self' *.akeneo.com 'unsafe-inline'; script-src 'self' 'unsafe-eval' 'nonce-07f41c14e74157aff6fa6296dac0027c13e46705'; img-src 'self' data: ; frame-src * ; font-src 'self' data:
content-type: application/json
date: Tue, 12 May 2020 07:05:18 GMT
expires: Tue, 12 May 2020 07:05:18 GMT
ocp-apim-trace-location: https://apimst3v04xlapwxf3c99avt.blob.core.windows.net/apiinspectorcontainer/9kvUzyqpMfhQQii4nn7e49QLxiE1-16?sv=2018-03-28&sr=b&sig=e9ETEXuY0pbzxyM%2FLBsJiidcrVL%2BROf1FnZ9652IDfw%3D&se=2020-05-13T07%3A05%3A18Z&sp=r&traceId=ba521452333d475b95521351d7ac19f3
pragma: no-cache
transfer-encoding: chunked
vary: Origin
www-authenticate: Bearer realm="Service", error="access_denied", error_description="OAuth2 authentication required"
x-content-security-policy: default-src 'self' *.akeneo.com 'unsafe-inline'; script-src 'self' 'unsafe-eval' 'nonce-07f41c14e74157aff6fa6296dac0027c13e46705'; img-src 'self' data: ; frame-src * ; font-src 'self' data:
x-frame-options: sameorigin
x-webkit-csp: default-src 'self' *.akeneo.com 'unsafe-inline'; script-src 'self' 'unsafe-eval' 'nonce-07f41c14e74157aff6fa6296dac0027c13e46705'; img-src 'self' data: ; frame-src * ; font-src 'self' data:
{
"error": "access_denied",
"error_description": "OAuth2 authentication required"
}
When I change my Security to OAuth 2.0 it gives says No OAuth 2.0 servers were configured.
Please can anyone help with how to configure the OAuth 2.0 Servers. Also, is the method I am using to in Azure API management Service to GET the data of the REST API correct. If there is some other work around, please specify.
Image for reference in the Link
Regarding how to configure the OAuth 2.0 Server, please refer to this guide.
Configure an OAuth 2.0 authorization server in API Management.
Blob images aren't showing via JavaScript because of the Content Security Policy in Waterfox 56:
Content Security Policy: The page’s settings blocked the loading of a
resource at blob:http://localhost/1e511fde-fb52-41fc-b7db-6b8b6cf64171
(“img-src http://localhost data:”).
My image CSP:
img-src \'self\' data:;
Self-answered, see below.
Adding blob: resolves the issue, only use a space for the array delimiter (and semi-colons for the key/value pair delimiters):
Before:
img-src \'self\' data:;
After:
img-src \'self\' blob: data:;
Chrome is giving me the following error:
Refused to load the script 'http://domain.com/myexternalscript.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'"
Currently, in my manifest my Content Security Policy is as follows:
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
How do I alter my security policy so that it can allow the script to run?
On a normal page, you could use
script-src 'self' 'unsafe-eval' domain.com; ...
but extensions only allow external scripts over HTTPS. You'll need to use
script-src 'self' 'unsafe-eval' https://domain.com;
and serve your script over HTTPS.
You must whitelist each external domain you want to use. You can use wildcards to match any subdomain: https://*.domain.com.
See Google's extension documentation on relaxing the default CSP for more information. See also MDN's page Using Content Security Policy.