I'm using nokia maps in my html page by including this script (with https)
<script type="text/javascript" charset="UTF-8" src="https://api.maps.nokia.com/2.2.4/jsl.js?with=all"></script>
If I access my site using https then it gives me the security warning message :
SEC7111: HTTPS security is compromised by http://1.maps.nlp.nokia.com/maptile....
How can i force the scripts to get the maps with https ?
This is a configuration issue. In order to fix it you have to add this line in your nokia here declaration :
nokia.Settings.set("secureConnection", "force");
Related
I set up a Content Security Policy and Chrome is perfectly happy with it. Firefox though displays these errors in the console.
These line numbers do not point to script (e.g. 1:1 is just <!DOCTYPE html>).
How can I determine what script Firefox is complaining about?
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). xxx.com:1:1
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). xxx.com:3:4629
This is a NoScript issue. Tell NoScript to allow scripts.
It is related to where the document lives and apparently has nothing to do with the document's content.
I can reproduce the issue on my local filesystem (file:///tmp/test.html) with this tiny HTML snippet:
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
</head><body>test</body>
</html>
(Note the lack of scripts. The <meta> tag only exists to suppress the character encoding complaint.)
When I tell NoScript to allow scripts from file: and refresh the page, the policy notice goes away.
I have a strange behavior in my code, but its only appears in webkit browsers (chrome + opera) and only with SSL enabled. General I use nonce-attribute in script-tags, but only a special usergroup send the matching http-header for nonce. So for most visitors its only a attribute and not for security.
<script src="https://www.example.com/script.js" nonce="random-value"></script>
On localhost without SSL (only HTTP) its working fine, but with SSL (HTTPS) I see in source code the random-value but in inspector/elements is nonce-attribute empty.
<script src="https://www.example.com/script.js" nonce=""></script>
In Firefox and Edge its show this value. Is this a bug or for security in webkit or my mistake, but why only in webkit? Chrome 68.0.3440.84 with Windows 10.
I am trying to load some css and scripts via some CDNs to improve loading times but I am getting a content security policy issue, but after a fair amount of time reading up on it and trying out different polices it is still giving my the same error.
Currently my policy looks like this -
<meta http-equiv="Content-Security-Policy" content="default-src 'self' https://code.jquery.com/ https://cdnjs.cloudflare.com/ https://maxcdn.bootstrapcdn.com/">
which from my understanding should mean I can load anything from the site itself and the 3 URLs E.G for maxcdn I should be able to load https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js
I did try the very simple and not to be used policy of
<meta http-equiv="Content-Security-Policy" content="default-src *">
but that didn't change anything.
The error I'm getting is -
Refused to load the script 'https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
The script its trying to load (I will do fall backs after i get this working)-
<script type="text/javascript" src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"
integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa"
crossorigin="anonymous"></script>
I have tested in chrome (55.0.2883.87) and Edge.
From the error message its as if its not taking my policy but using the default policy set by the browser?
Any help would be much appreciated :)
The script loads without a problem when I test it with a CSP provided by the meta tag you included in your question.
I was able to reproduce the problem by including a conflicting CSP using an HTTP header.
A real HTTP header will trump a meta tag.
You need to make the changes to your server side code or HTTP server configuration instead of to the document.
I had a similar problem due to... an ad blocker (uBlock Origin)
I'm new to ssl setup and I was fallowing a tutorial on how to setup a node.js application with nginx and a ssl certification
"The tutorial":
https://code.lengstorf.com/deploy-nodejs-ssl-digitalocean/?utm_source=nodeweekly&utm_medium=email
Everything went well and I'm able to access the site via https but in Chrome at the right sidebar I can see this warning (This page is trying to load scripts from unauthenticated sources)
any idea of what may be?
This means that you have some HTTP links in <script> tags in your HTML.
You need all your links in HTML to be HTTPS (scripts, images, styles etc.)
Those could be links to libraries like jQuery, some analytics scripts or even your own scripts on your own page that get loaded with <script src="http://...">
For example, if you have something like this in HTML:
<script src="http://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.js">
</script>
Change it to:
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.js">
</script>
This is also possible, but less likely, that you have some scripts that are requested over HTTPS but the requests get redirected to HTTP. Open the browser's developer console and see which requests for which files are causing those warnings and find out where they are referenced in the HTML that the browser is getting.
I know that if you access an HTTP resource within an HTTPs page, most browsers will warn you. Are there any issues regarding loading a resource across HTTPS from foo.com when the page is served on bar.com?
For example, assume the following page comes from https://www.bar.com/index.html:
<html>
<script src="https://somescript.foo.com/foo.js"></script>
</html>
No, there are no issues.
This is common practice in PayPal shopping carts, where PayPal includes the user's logo from a 3rd party site via https://