As of this question Can't load facebook js sdk from Chrome extension
i trying basically the same thing
background.js
(function(d, s, id, debug){
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) {return;}
js = d.createElement(s); js.id = id;
js.src = "facebook-all.js";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk', /*debug* / false));
window.fbAsyncInit = function() {
// init the FB JS SDK
alert('INIT SDK');
FB.init({
appId : 'xxxxxxxxxxx', // App ID from the App Dashboard
//channelUrl : '', // Channel File for x-domain communication
status : true, // check the login status upon init?
cookie : true, // set sessions cookies to allow your server to access the session?
xfbml : true, // parse XFBML tags on this page?
});
FB.login(function(response) {
if (response.authResponse) {
alert('Welcome! Fetching your information.... ');
FB.api('/me', function(response) {
alert('connected ' + JSON.stringify(response, null, 4));
});
} else {
alert('User cancelled login or did not fully authorize.');
}
});
};
manifest.json
{
"name": "A browser action with no icon",
"version": "1.0",
"background": { "scripts":["background.js"]},
"permissions": [
"tabs",
"https://*/*",
],
"content_security_policy": "default-src https://connect.facebook.net/ https://s-static.ak.facebook.com/connect/ chrome-extension-resource: 'self' 'unsafe-eval' ",
"manifest_version": 2
}
but im getting the following erros on the console:
The "fb-root" div has not been created, auto-creating all.js:52
Refused to apply inline style because it violates the following Content Security Policy directive: "default-src https://connect.facebook.net/ https://s-static.ak.facebook.com/connect/ 'self' 'unsafe-eval'". Note that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "default-src https://connect.facebook.net/ https://s-static.ak.facebook.com/connect/ 'self' 'unsafe-eval'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "default-src https://connect.facebook.net/ https://s-static.ak.facebook.com/connect/ 'self' 'unsafe-eval'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the frame 'http://static.ak.facebook.com/connect/xd_arbiter.php?version=21#channel=f30…F_generated_background_page.html%3Ffb_xd_fragment%23xd_sig%3Df2c0b5eef8%26' because it violates the following Content Security Policy directive: "default-src https://connect.facebook.net/ https://s-static.ak.facebook.com/connect/ 'self' 'unsafe-eval'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the frame 'https://www.facebook.com/dialog/oauth?client_id=xxxxxxxxxxx&response_type=…4%26domain%3D<extension-id>%26relation%3Dparent&sdk=joey' because it violates the following Content Security Policy directive: "default-src https://connect.facebook.net/ https://s-static.ak.facebook.com/connect/ 'self' 'unsafe-eval'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
I know 'unsafe-inline' is not allowed anymore, so is there a way to make the fs-jssdk in a chrome extension to work?
Any help will be greatly appreciated!
obs: I was able to fetch the results from FB directly in the browser, but not in the extension.
You can enable styles and frames with following:
"content_security_policy": "default-src 'self' 'unsafe-eval' chrome-extension-resource: https://*.facebook.net https://*.facebook.com; style-src 'self' 'unsafe-inline' chrome-extension-resource: https://*.facebook.net https://*.facebook.com; frame-src 'self' 'unsafe-inline' chrome-extension-resource: https://*.facebook.net https://*.facebook.com",
but I'm not sure how to get rid of Refused to load the frame 'http://static.ak.facebook.com(...) error. Google chrome's CSP disallows allowing http:// domains, and without it there's no inframe communication so for example automatic resizing won't work.
Related
I'm trying to use an inline script in my project, and I keep getting this error:
'Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-hyQXPyDjuL7UGCz8hPIbJ2ZzKwE8uqNzvUJB9/9T6jc='), or a nonce ('nonce-...') is required to enable inline execution.'
I've viewed a bunch of other similar questions on here and they all say it has to do with a meta tag and to include something like this:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'" />
but that doesn't make a difference, I've removed all the meta tags from my <head> and I still get the same error. where could this issue possibly be coming from other than the
<head> ? ive created my project with the express-generator but i cant find anything CSP in any of my files.
I'm completely lost on what's blocking the inline scripts, if I can provide any code please let me know but seeing as I have no idea what's causing it, i dont know what code to provide
The CSP directive is not set in meta tag but in HTTP header.
Sice you marked the question with node.js and express tags, here's an example setting the CSP header in express:
const express = require("express");
const app = express();
const port = 8080;
app.get("/", (req, res) => {
res
.set("Content-Security-Policy", "default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'")
.send("<html><head></head><body></body></html>");
})
app.listen(port, () => {
console.log("Listening on port %s", port);
});
Then you can see the CSP in the response headers:
curl -v http://localhost:8080
* Rebuilt URL to: http://localhost:8080/
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
> GET / HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.53.1
> Accept: */*
>
< HTTP/1.1 200 OK
< X-Powered-By: Express
< Content-Security-Policy: default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'
< Content-Type: text/html; charset=utf-8
< Content-Length: 39
< ETag: W/"27-ghawzGh2y9RPAcFY59/zgzzszUE"
< Date: Tue, 17 Nov 2020 00:01:04 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
<
* Connection #0 to host localhost left intact
<html><head></head><body></body></html>
The problem for me was the cheerio version. From 1.0.0-rc.12 to 1.0.0-rc.5 and worked fine after.
To use Google fonts in IdentityServer3, the following Content-Security-Policy never worked:
<meta http-equiv="Content-Security-Policy"
content=" style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
font-src 'self' 'unsafe-inline' https://fonts.gstatic.com data:">
Instead we configured the CspOptions in the idsrvApp.UseIdentityServer constructor which did work:
CspOptions = new CspOptions {
FontSrc = "https://fonts.gstatic.com",
StyleSrc = "https://fonts.googleapis.com",
Enabled = true
}
How can we configure CspOptions in IdentityServer4? I'm having trouble finding it.
For anyone else who gets stuck, the SecurityHeadersAttribute.cs file that comes with the IdentityServer4 quickstart files needs to be modified. Appending the following lines fixed it:
var csp = "default-src 'self'; object-src 'none'; frame-ancestors 'none'; sandbox allow-forms allow-same-origin allow-scripts; base-uri 'self';";
// These two lines enable google fonts
csp += "font-src 'self' https://fonts.gstatic.com;";
csp += "style-src 'self' https://fonts.googleapis.com;";
The file is located in quickstart/SecurityHeadersAttribute.cs
The goal is to setup special rules for svg files,
server {
add_header Content-Security-Policy "default-src 'none'; child-src https://www.youtube.com; font-src 'self' https://fonts.gstatic.com; frame-ancestors 'none'; frame-src https://www.youtube.com; img-src 'self'; media-src 'self'; script-src 'self'; style-src 'self' https://fonts.googleapis.com";
location ~ \.svg$ {
add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'";
}
}
for the 1st rule, we can do
ctx.response.set('Content-Security-Policy', 'default-src ...');
How about the 2nd line for the svg files.
Just use regular expression
const svgPattern = /.+\.svg$/;
if (filename.test(svgPattern)) {
// add required header
}
we started to use Content Security Policy quite recently and still have a lot of problems with it.
1. blocked google URIs
A lot of google URIs get blocked for different directives. For example:
"csp-report": {
"blocked-uri": "https://www.google.co.za",
"document-uri": "https://de.our-project.com/",
"original-policy": "default-src https://de.our-project.com; script-src https://de.our-project.com data: https://*.our-project-test.com https://*.our-project.com https://*.our-project-stage.com https://s.yimg.jp https://www.google.co.jp https://p.dr.adingo.jp https://ajax.googleapis.com https://api.sovendus.com https://s.yjtag.jp https://data1.allo-pages.fr https://data1.mes-resultats.com https://*.yahoo.co.jp https://api.gutscheinconnection.de https://cdn.our-project-stage.com https://cdn.our-project.com http://www.googletagmanager.com https://www.googletagmanager.com https://www.google-analytics.com https://maps-api-ssl.google.com https://maps.googleapis.com https://www.googleadservices.com https://*.justuno.com http://connect.facebook.net https://connect.facebook.net https://pippio.com http://cdn.rawgit.com http://d.ratepay.com 'unsafe-inline' 'unsafe-eval'; style-src https://de.our-project.com https://*.our-project.com https://*.our-project-test.com https://www.sovendus.com https://cdn.our-project-stage.com https://cdn.our-project.com https://fast.fonts.net https://fonts.googleapis.com 'unsafe-inline'; img-src https://de.our-project.com data: https://*.our-project.com http://*.test.com https://*.test.com https://*.our-project-test.com https://www.google.com.co https://www.google.lt https://www.google.nl https://www.google.com.ua https://www.google.co.jp https://www.google.es https://www.google.co.uk https://www.google.dk https://www.google.co.il https://www.google.cz https://www.gstatic.com https://tap.rubiconproject.com https://sync.adap.tv https://d.agkn.com https://rudy.adsnative.com https://www.googletagmanager.com https://*.sovendus.com https://gum.criterio.com https://wam.solution.weborama.fr https://pippio.com https://load.s3.amazonaws.com http://test-admin.devnet.nil https://a248.e.akamai.net https://er.criteo.com https://ibeu2.mookie1.com https://tags.bluekai.com https://s.thebrighttag.com https://elr.sfr.fr https://traffic.outbrain.com https://ext.ligatus.com http://www.seur.com https://*.rlcdn.com https://www.google.ie https://www.google.fr https://cdn.our-project-stage.com https://cdn.our-project.com http://pim.test.com https://admin.our-project-stage.com https://admin.our-project.com https://pim-cdn.test.com http://pim-cdn.test.com https://cms-cdn.test.com http://test.preview.denkwerk.com https://www.facebook.com https://maps.googleapis.com https://maps-api-ssl.google.com https://googleads.g.doubleclick.net https://www.google-analytics.com https://www.google.de https://www.google.com https://stats.g.doubleclick.net https://csi.gstatic.com https://maps.gstatic.com http://aa.agkn.com https://aa.agkn.com http://login.dotomi.com https://login.dotomi.com http://emailretargeting.com https://emailretargeting.com https://p-eu.acxiom-online.com http://global.ib-ibi.com https://global.ib-ibi.com http://loadus.exelator.com https://loadus.exelator.com http://i.liadm.com https://i.liadm.com http://rc.rlcdn.com https://cm.g.doubleclick.net https://secure.insightexpressai.com https://e.nexac.com https://stags.bluekai.com https://pm.w55c.net https://um.simpli.fi https://dt-secure.videohub.tv https://c.bing.com https://b97.yahoo.co.jp; font-src https://de.our-project.com data: https://cdn.our-project-stage.com https://cdn.our-project.com https://fonts.gstatic.com 'unsafe-inline' 'unsafe-eval'; connect-src https://de.our-project.com https://profile.justuno.com https://www.justuno.com https://profilebak.justuno.com http://d.ratepay.com; media-src https://de.our-project.com; object-src https://de.our-project.com https://d.ratepay.com; child-src https://de.our-project.com https://bid.g.doubleclick.net https://www.youtube.com https://www.justuno.com; frame-src https://de.our-project.com https://bid.g.doubleclick.net https://www.youtube.com https://www.justuno.com; frame-ancestors https://de.our-project.com ; form-action https://de.our-project.com https://www.computop-paygate.com https://*.paypal.com https://www.sandbox.paypal.com; manifest-src https://de.our-project.com;",
"referrer": "https://de.our-project.com/",
"violated-directive": "img-src https://de.our-project.com data: https://*.our-project.com http://*.test.com https://*.test.com https://*.our-project-test.com https://www.google.com.co https://www.google.lt https://www.google.nl https://www.google.com.ua https://www.google.co.jp https://www.google.es https://www.google.co.uk https://www.google.dk https://www.google.co.il https://www.google.cz https://www.gstatic.com https://tap.rubiconproject.com https://sync.adap.tv https://d.agkn.com https://rudy.adsnative.com https://www.googletagmanager.com https://*.sovendus.com https://gum.criterio.com https://wam.solution.weborama.fr https://pippio.com https://load.s3.amazonaws.com http://test-admin.devnet.nil https://a248.e.akamai.net https://er.criteo.com https://ibeu2.mookie1.com https://tags.bluekai.com https://s.thebrighttag.com https://elr.sfr.fr https://traffic.outbrain.com https://ext.ligatus.com http://www.seur.com https://*.rlcdn.com https://www.google.ie https://www.google.fr https://cdn.our-project-stage.com https://cdn.our-project.com http://pim.test.com https://admin.our-project-stage.com https://admin.our-project.com https://pim-cdn.test.com http://pim-cdn.test.com https://cms-cdn.test.com http://test.preview.denkwerk.com https://www.facebook.com https://maps.googleapis.com https://maps-api-ssl.google.com https://googleads.g.doubleclick.net https://www.google-analytics.com https://www.google.de https://www.google.com https://stats.g.doubleclick.net https://csi.gstatic.com https://maps.gstatic.com http://aa.agkn.com https://aa.agkn.com http://login.dotomi.com https://login.dotomi.com http://emailretargeting.com https://emailretargeting.com https://p-eu.acxiom-online.com http://global.ib-ibi.com https://global.ib-ibi.com http://loadus.exelator.com https://loadus.exelator.com http://i.liadm.com https://i.liadm.com http://rc.rlcdn.com https://cm.g.doubleclick.net https://secure.insightexpressai.com https://e.nexac.com https://stags.bluekai.com https://pm.w55c.net https://um.simpli.fi https://dt-secure.videohub.tv https://c.bing.com https://b97.yahoo.co.jp"
}
But we don't even have this URI in our site. It's the same for a lot of other google URIs.
Does someone know why we get these violations and how to resolve them?
2. blocked-uri: null
There are a lot of
"blocked-uri": "null"
parts in our violation log. It's always the font-src directive, that takes action with this.
I've read about it being empty but couldn't find anything about "null".
Can anybody explain to me, how this happens?
EDIT
I've read some more into it now and it seems like google AdWords and analytics (?) are the reasons for my first problem.
Solution for this:
Either add ALL 200 or so google domains to your CSP or allow ALL image sources (or at least the specific protocol)
To my second problem:
It seems like "null" replaced the empty string. But all I found was about the script-src directive being violated, which either means the report is about inline javascript or an eval() function.
Both is not the case for me as the font-src directive is being violated.
If I find out something new, I'll edit the post again.
Found the solution myself:
1. blocked google URIs
Either add ALL 200 or so google domains to your CSP or allow ALL image sources (or at least the specific protocol)
2. blocked-uri: null, violated-directive: font-src
It seems like browser extensions cause this error. Namely lastpass. We tried it and on login the CSP threw the violation.
Hope this helps some people in the future.
I upgraded my Identityserver 4 to version 1.5.1 and now have content security policy errors.None of the solutions presribed so far has worked for me
I tried this
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline' https://ajax.aspnetcdn.com/ajax/bootstrap/3.3.6/css/bootstrap.min.css; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ajax.aspnetcdn.com/ajax/jquery/jquery-2.2.0.min.js https://ajax.aspnetcdn.com/ajax/jquery.validate/1.14.0/jquery.validate.min.js">
but nothing worthwhile is happening
In the IdentityServer4 Samples, the class SecurityHeadersAttribute.cs is responsible for sending the right CSP headers. You should only add the domain name:
var csp = "default-src 'self';" +
"img-src * 'self' data: https:;" +
"style-src 'self' ajax.aspnetcdn.com;" +
"font-src 'self' ajax.aspnetcdn.com;" +
"script-src 'self' ajax.aspnetcdn.com;"
// once for standards compliant browsers
if (!context.HttpContext.Response.Headers.ContainsKey("Content-Security-Policy"))
{
context.HttpContext.Response.Headers.Add("Content-Security-Policy", csp);
}
// and once again for IE
if (!context.HttpContext.Response.Headers.ContainsKey("X-Content-Security-Policy"))
{
context.HttpContext.Response.Headers.Add("X-Content-Security-Policy", csp);
}