What can I do to prevent this error from occurring? I've already tried the following
default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;
But I keep getting the following error
Refused to connect to 'https://storybook.js.org/versions.json?current=5.0.11' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
I tried to specify the URL directly or specified connect-src. But I just can't get it to work :(
Try this:
default-src 'self' 'unsafe-inline' 'unsafe-eval' storybook.js.org data: blob:;
With "default-src *" you would allow pretty much any URL, the rest of you CSP doesn't change anything for a connect.
Are you sure you are not setting multiple CSP values?
Is there a "default-src 'self'" meta tag or header?
If you have specified multiple CSPs the strict combination of all would be enforced.
Related
One of my iframe is not working/loading in IOS only (mobile and emulator) while it is working fine android/chrome/safari.
It happens to only one iFrame, while a second is working (in IOS).
I have the following message error:
webPageProxy::didFailProvisionalLoadForFrame: frameId = 26, domain = nsurlErrorDomain, code: -999.
I have implemented both answer from stackoverflow:
Ionic iframe loading not fully working on iOS
iframe is not working in iOS (ionic framework)
Plus i have sanitize the url of the iFrame.
Nothing seems to work, the iFrame is white.
The url I am passing (in case it is working:)
https://preprod-tpeweb.paybox.com/cgi
The url I am passing (in case it is not working
https://secure-test.dalenys.com/front/form/process
These two urls are from action POST form, with an iFrame as a target.
Do you have any idea what to do ? Would it be possible that the host has badly set its website ?
Would it be possible that it comes from the fact that the iFrame has this error:
Indicate whether to send a cookie in a cross-site request by specifying its SameSite attribute ?
update:
We had the following error: “Refused to load https://secure-magenta1.dalenys.com/front/form/process because it does not appear in the frame-ancestors directive of the Content Security Policy.”
We had the following error:
“Refused to load https://secure-magenta1.dalenys.com/front/form/process because it does not appear in the frame-ancestors directive of the Content Security Policy.”
The CPS, from my understanding is what securized your website of being embedded by another one.
And indeed the third party request header CSP frame-ancestors is set to:
Content-Security-Policy : default-src * 'unsafe-inline'; frame-ancestors * gap:; img-src * data:
To allow IOS in app browser to access by an iFrame to this request, just either:
remove frame-ancestors. Which would give in our case: Content-Security-Policy : default-src * 'unsafe-inline'; img-src * data:
allow ionic capacitor, by changing the CSP by: Content-Security-Policy : default-src * 'unsafe-inline'; frame-ancestors * gap: capacitor:; img-src * data:
note: I do not recommend to use the wild-card in standalone with frame-ancestors because it is the same as using default configuration. Plus it seems that the in app browser IOS is not able to read it. It is just the third party that set it this way.
I am trying to allow others embed pages from my rails app on many websites. I can get it to work in Chrome and Firefox using X-Frame-Options. Is there a content security policy that is equivalent
response.headers['X-Frame-Options'] = "ALLOW-FROM *"
Here is the bit using X-Frame-Options
class PeopleController < ApplicationController
def embed
response.headers['X-Frame-Options'] = "ALLOW-FROM *"
#company = People.new
end
end
But does not work, when using content security policy in both Chrome and Google when i use content security policy
class PeopleController < ApplicationController
content_security_policy do |p|
p.frame_ancestors "self", "*"
end
def embed
#company = People.new
end
end
When using Content Security Policy, it throws this error:
Refused to frame 'http://localhost:3000/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors self".
and this is an example of the embed code:
<iframe src="http://localhost:3000/people/embed"></iframe>
and this is another one I tried:
<iframe src="/people/embed"></iframe>
Update
With content-security policy, this works only on Firefox:
content_security_policy do |p|
p.frame_ancestors 'self', "*"
end
Modern Chrome and Firefox do not support ALLOW-FROM key in the X-Frame-Options header. You can publish X-Frame-Options: ALLOW-FROM ### or X-Frame-Options: ALLOW-FROM http://example.com - they restrict nothing, headers with ALLOW-FROM key be just ignore by browsers.
If you wish to allow iframing for unlimited domains, it's easier not to publish X-Frame-Options header (and frame-ancestors directive) at all.
If you have a counted set of allowed domains you can use CSP header with frame-ancestors domain1 domain2 ... domainN;.
When using Content Security Policy, it throws this error: ... because an ancestor violates the following Content Security Policy directive: "frame-ancestors self"
This error means that you really published frame-ancestors 'self', not frame-ancestors 'self' * as expected.
Maybe you published two different CSP headers at the same time, maybe you have error in code. You can check what CSP header you actually got in browser.
Note 1: 'self' token should be a single-quoted - use "'self'" string in code.
Note 2: 'self' token commonly covers standard ports 80/443 only, it's not cover http://localhost:3000 (it's browser's depend). An asterisk * does cover any port numbers.
I am using Rails 5.2 with webpacker 4 and recently switched to using splitChunks. My web pages now reference my web pack using the javascript_packs_with_chunks_tag.
Now that I want to start using CSP (Content Security Policy) with the SecureHeaders gem I am coming across CSP errors:
homepage-5879edcf6f8ba98035c2.chunk.js:2
[Report Only] Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'nonce-dlcwKLQTKthCJgmDqEWu1SX05nIjRY/9r+6ixP5CP4A=' 'unsafe-inline'".
I know SecureHeaders gem have a nonce helper method for normal javascript tags: nonced_javascript_include_tag.
Does anyone know how to add nonce to the javascript_packs_with_chunks_tag to eliminate this error?
I am trying to whitelist an inline image. Is there a way to add nonce to image_tag like javascript_include_tag
to whitelist a inline image.
base on CSP: img-src, it mentioned img-src supports 'nonce-<base64-value>'
My CSP policy for image-src
policy.img_src :self
I tried the following and confirmed that nonce shows up in the dom.
#fruist_store.html.haml
= image_tag('https://assets.myfruitstore.com', nonce: content_security_policy_nonce)
But the nonce on the image_tag does not seem to be honored unlike script-src. I am still getting
[Report Only] Refused to load the image 'https://assets.myfruitstore.com' because it violates the following Content Security Policy directive: "img-src self
I was wondering if there is another way to make this work or if that is something not secured to do.
Update:
So based on Rails content_security_policy.rb#L134, it seems like Rails does NOT add nonce to to image_src
so I update my policy to
policy.img_src :self, -> {%(nonce-{request.content_security_policy_nonce})}
But still flagging it as a violation
I'm programming a mobile app w/ Ionic v1, AngularJS and Firebase to manage users in a database. The app lets users log in and, once logged in, change their information (like name, birthday, etc). On iOS 9 and on my browser when I use ionic serve, everything works fine.
However, on iOS 10, the user can log in (albeit noticeably more slowly) and then, once they attempt to change their info in the database, some kind of problem is happening and no new info is writing to the database.
Since the Firebase database is perfectly functional and the new data writes without any errors on the browser and in iOS 9, I believe it may be an issue with my Content Security Policy required in iOS 10. I have tried many combinations of CSPs; some result in a "WARN: FIREBASE WARNING: Exception was thrown by user callback", and some combinations have no error but are still not writing the new information to the database.
Does anyone have experience using Ionic v1 and AngularFire on iOS 10 that can help?
Current CSP:<meta http-equiv="Content-Security-Policy" content="default-src * 'self' 'unsafe-eval' 'unsafe-inline'; img-src * 'self' 'unsafe-eval' 'unsafe-inline'; script-src * 'self' 'unsafe-eval' 'unsafe-inline'; connect-src * 'self' 'unsafe-eval' 'unsafe-inline'; font-src * 'self' 'unsafe-eval' 'unsafe-inline'; object-src * 'self' 'unsafe-eval' 'unsafe-inline'; frame-src * 'self' 'unsafe-eval' 'unsafe-inline'; child-src * 'self' 'unsafe-eval' 'unsafe-inline';">
Edit:
Found the error inside the Safari developer console. It is failing to connect to the websocket. WebSocket connection to 'wss://stuff.firebaseio.com/.ws?v=5&ns=app' failed: Failed to send WebSocket frame.
I am facing kind of the same issue, with websocket being killed when I send too much data to firebase (more than 50Kb at once, a base64encoded image for example), from IOS10 only as well.
What you might be missing in your CSP is the following line :
connect-src * 'self' 'unsafe-inline' 'unsafe-eval' *.firebaseapp.com https://*.firebaseio.com wss://*.firebaseio.com blob: data:;
Which will allow you to send and receive data to/from firebase.