I want to be able to write a test that will fail if my Content-Security-Policy blocks something in my pre-live environment.
I find this out normally by seeing something like this message in the browser console:
Refused to connect to 'https://www.<somedoamin>.com' because it violates the following Content Security Policy directive: <something>
Motivation:
So I have to manually open the console, see the error, update the CSP and redeploy.
Checking this every time is something that could be forgotten - a test would remove some human error.
Related
I'm following this tutorial to create a simple web app with a Microsoft 365 login. I'm currently getting this error when debugging locally (http://localhost:8080):
Warning:
mgt-loader.js:61 A parser-blocking, cross site (i.e. different eTLD+1) script, https://unpkg.com/#microsoft/mgt/dist/bundle/wc/webcomponents-loader.js, is invoked via document.write. The network request for this script MAY be blocked by the browser in this or a future page load due to poor network connectivity. If blocked in this page load, it will be confirmed in a subsequent console message. See https://www.chromestatus.com/feature/5718547946799104 for more details.
In Azure, I have the Redirect URIs set up to match (http://localhost:8080).
After some googling, I tried adding async, but then I get this warning and the login button doesn't appear:
mgt-loader.js:61 Failed to execute 'write' on 'Document': It isn't possible to write into a document from an asynchronously-loaded external script unless it is explicitly opened.
What would be causing this warning and how can I fix it?
First, check out how document.write works: https://developer.mozilla.org/en-US/docs/Web/API/Document/write
You will understand why you cannot run document.write in asynchronous context (try running document.write('Hello world!'); in console on any page).
Warning tells you that a parser blocking (synchronous), cross site (not coming from the same domain as website) scripts can be blocked by Chrome in the future if someone has unstable or bad internet connection.
If you want it to run synchronously without that warning, you have to bundle that JS code with your own, or just serve it from your own origin, same as your website (e.g. localhost:8080). You can download #microsoft/mgt npm package and for bundling - use gulp, webpack or other tool of your choice.
https://unpkg.com/#microsoft/mgt#2.4.0/dist/bundle/wc/webcomponents-loader.js
This script tries to differentiate between async and sync contexts (line 175) and run document.appendChild (instead of write) for async context - but for some reason the check fails (readyState === loading).
https://developer.mozilla.org/en-US/docs/Web/API/Document/readyState
How to check if an Javascript script has been loaded Asynchronously (Async) or async attribute is present?
If you want to run this in non-blocking manner, you could try to fix the script by yourself.
There is a Github repo for that toolkit (https://www.npmjs.com/package/#microsoft/mgt), but there is no issue regarding async loading, nor regarding the warning that you have noticed - so maybe nobody else has noticed or thought about it yet.
I coded a static page using gatsby and deployed it. :80 is no problem, also when i hosted it on a github static page the console didnt spammed errors.
For each <GatsbyImage/> i am using in my project, i get this chrome-console-error on my static page.
[Report Only] Refused to connect to '<URL>' because it violates the following Content Security Policy directive:
"connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net analytics.atlassian.com as.atlassian.com
api-private.stg.atlassian.com api-private.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io
xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net sentry.io bqlf8qjztdtr.statuspage.io <URL>".
Can someone point me to 1. understand the problem 2. handle it properly to avoid all this console errors. i hate errors in live projects ;-)
This is an issue on Content Security Policy usage on Gatsby. See more explanation on [1]. Gatsby cannot be used with a CSP rule directly.
For that there are some plugins, for example one at [2] that make it happen that CSP rule is partially generated by Gatsby. The errors get fixed.
Source:
[1] https://github.com/gatsbyjs/gatsby/issues/10890
[2] https://www.gatsbyjs.com/plugins/gatsby-plugin-csp/
I recently started to use LibGit2Sharp and was able to start using this successfully. However, I am hitting one issue which I am unable to resolve related to SSL verification very similar to this one. For one of my scenario, I need to skip SSL verification.
I get the following exception when I try this scenario.
user cancelled certificate check:
I tried using the solution mentioned in the link above which is as follows.
RemoteCertificateValidationCallback certificateValidationCallback = (sender, certificate, chain, errors) => { return true; };
ServicePointManager.ServerCertificateValidationCallback = certificateValidationCallback;
GlobalSettings.RegisterSmartSubtransport<MockSmartSubtransport>("https");
I placed the above mentioned code before performing the git operation.
I see that the custom certificateValidationCallback is getting called. However, after that the git command fails with the following exception, "The remote server returned an error: (401) Unauthorized."
Any solution to this issue?
For one of my scenario, I need to skip SSL verification.
Then use the http.sslVerify configuration setting. If that doesn't work, file an issue in LibGit2Sharp. But don't try to use your own subtransport.
This is not something that should be done without knowing exactly what you're doing. This is not for trivial little things like SSL certificates, this is for when you have your own complete, existing HTTP stack that you want to use and you simply can't use the one that's included in LibGit2Sharp.
If you're experimenting thinking that maybe using your own subtransport will solve a very simple problem then it won't. And pulling a test out and trying to make it actually work is likely to fail. Now you are responsible for everything like authentication and SSL handling.
Instead, turn off SSL verification with the http.sslVerify configuration setting.
Skipping the TLS certificate check is not currently supported. libgit2 used to honour http.sslverify but that was replaced with a callback to give the caller knowledge about what they were connecting to. This callback allows the user to allow the connection to continue or to abort it. It is unfortunately not implemented at the moment in libgit2sharp.
And as Edward says, replacing the whole HTTP stack is not going to solve much, especially when it's a fake one named so.
I feel guilty coming to Stack Exchange with such a trivial issue, but I've been banging my head against it all morning and can't seem to get anywhere. I am trying to run the simple HelloWorld app in the Grails tutorial: http://grails.org/doc/latest/guide/gettingStarted.html#creatingAnApplication
I have Grails installed, I can run it, create the controller and everything, but no matter what page I hit, I get nothing but a blank. Even pages that don't exist, return a blank page and not an error.
For example, I tried http: //localhost:8080/helloworld, obviously, and get nothing but a blank page back. The same thing happens for http: //localhost:8080/hellowrld, http: //localhost:8080/helphelphelp and http: //localhost:8080/pleasefortheloveofpeteworkalready. Always the empty response.
When I try a different port, I get an error. When I stop-app and try, I get an error. When I run grails run-app with port 9090 and try port 8080, I get an error, but on 9090, I get the blank page. So, I assume the server is fielding the requests, but just isn't responding for some reason.
I'm probably missing something super simple, something dumb, but I can't figure out what it is, and the complete lack of feedback is killing me.
Are there logs anywhere I can check? And, is there something obvious I'm missing?
(PS: I assume the environment vars are correct, because I can run Grails no problem. Also, I installed, but never ran, the GGST IDE thing. I rebooted since then, but could that have installed some service that's taking over?)
Thanks,
Peter
The application name is the default "context", so if you create an application called foo (grails create-app foo) it will be available at http://localhost:8080/foo if you run grails run-app. You can use a different port, for example 9090, by running grails -Dserver.port=9090 run-app and you can also use a different context (or none at all).
The run-app script displays the full URL of the application in the output window - you should see something like:
Server running. Browse to http://localhost:8080/helloworld
When I run a simple functional test to get (for example) the users/signIn page, I'm getting this:
<html><head><meta http-equiv="refresh" content="0;url=https://localhost/index.php/users/signIn"/></head></html>
and then the functional test just stops. It happens in other functional tests too, but not on every request. Other tests will run fine, then when it gets to a certain request in the test, it will get that response (with the requested URL in the content attribute), and stop.
Any ideas on why this might be happening?
These functional tests used to work, but I just got this project back from another development company and I don't have an idea of where to start looking for the changes. Of course I can do diffs on the files with the version control, but I don't know where to start. Thanks for any leads!
Argh, found it quicker than I thought.
The SSL filter was turned on, and needs to be disabled for the test environment. They had removed the test environment from app.yml.
test:
disable_sslfilter: true