Getting the following when using rails built in email previews :
Refused to load the stylesheet
'http://app.lvh.me:3000/packs/...' because it violates
the following Content Security
Policy directive: "style-src 'unsafe-inline'".
Ended up adding the following in headers :
meta http-equiv="Content-Security-Policy"
content="default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval';"
But still getting the issue
Does anyone encountered and solved this issue ?
Obviously, this answer could be enhanced by explaining why such happened,
but so far it seems that the workaround is to add the following gem :
gem 'premailer-rails'
As explained here.
Related
I migrated a jhipster application generated with jhipster version 6.3.0.
Everything is right except swagger. I don't want for now to migrate to springdoc. I just kept springfox.
I get this exception when go to /admin/docs:
Refused to frame 'http://swagger.io/' because it violates the following Content Security Policy directive: "frame-src 'self' data:".
Should I change the CSP or something else ?
Right now I have this line in SecurityConfiguration
.contentSecurityPolicy("default-src 'self'; frame-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://storage.googleapis.com https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; img-src 'self' www.googletagmanager.com https://www.google-analytics.com data:; font-src 'self' https://fonts.gstatic.com data:")
Yes. It should work when adding http://swagger.io/ to frame-src in the CSP configuration. E.g.
...; frame-src 'self' http://swagger.io/ data:; ...
I solved the problem of CSP by using:
.and().frameOptions().sameOrigin().
But finally I had no choices. I was obliged to migrate to springdoc instead.
Question - so I am trying to use the protractor-beautiful-reporter on my jenkins install. This is an agular app. However when the page is rendered showing that the angular bit isn't working. Looking at the console for the page shows the following:
Content Security Policy: The page’s settings blocked the loading of a
resource at
https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js
(“script-src http://dskvm4981-iis:8080 'unsafe-inline'
'unsafe-eval'”).
I already use a couple of setProperty to override CSP for the machine. These are:
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';")
System.setProperty("jenkins.model.DirectoryBrowserSupport.CSP", "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';")
Anyone know how change the above to work from either a local file or a remote file?
One workaround would be to avoid having the report download Angular source at all by either requesting this kind of change on the protractor-beautiful-reporter issue tracker or forking the package copying the angular source and changing the source of the script from:
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js"></script>
to something like:
<script src="angular.min.js"></script>
having the minified angular js file downloaded to be near the index.html itself.
This is no more than a workaround, of course.
I update Jenkins security settings to support allure report
System.setProperty(“hudson.model.DirectoryBrowserSupport.CSP", "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';")
it works fine ,now I need to add
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox allow-scripts;")
for HTML report
how can I combine both settings into 1 ?
Thanks , Mor
looks like this one
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src 'none'; img-src 'self'; style-src 'self'; child-src 'self'; frame-src 'self';")
do the trick
I deviceready doesn't fire or fires very late in my ionic app when I run it on my iOS device with
ionic run ios --device -lcs
I removed all the plugins with ionic plugin rm ..., deleted the content of the plugins/ directory and reinstalled them.
I also removed and reinstalled the ios platform with ionic platform rm/add ios.
I am stuck with this.
The iPhone (6+) is on iOS 10.
I am using ionic 1, and the last ionic CLI.
EDIT: I removed all plugins one by one, and its seems that the problem is due to cordova-plugin-network-information and cordova-plugin-device.
Process 663 detached
(lldb)
(node:26790) DeprecationWarning: Using Buffer without `new` will soon stop working. Use `new Buffer()`, or preferably `Buffer.from()`, `Buffer.allocUnsafe()` or `Buffer.alloc()` instead.
14 030280 warn Native: deviceready did not fire within 2000ms. This can happen when plugins are in an inconsistent state. Try removing plugins from plugins/ and reinstalling them.
15 030605 info [object Object]
16 033286 log deviceready has not fired after 5 seconds.
17 033290 log Channel not fired: onCordovaInfoReady
18 033293 log Channel not fired: onCordovaConnectionReady
19 363977 log DEVICE READY FIRED AFTER, 32259, ms
My run.js, AppCtrl.js and the controller of my main view are encapsultaed in $ionicPlatform.ready(function () {..});`
My content security policy is:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' *; connect-src 'self' 'unsafe-inline' 'unsafe-eval' blob: ws: *;">
I added Thanks for your response #baviskarmitesh. But I had to add gap to the content security policy and now it seems to work.
I added data: gap: https://ssl.gstatic.com 'unsafe-eval'after default-src * into my content security policy in my index.html file, like this:
<meta http-equiv="Content-Security-Policy" content="
default-src * data: gap: https://ssl.gstatic.com 'unsafe-eval';
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
script-src 'self' 'unsafe-inline' 'unsafe-eval' *;
connect-src 'self' 'unsafe-inline' 'unsafe-eval' blob: ws: *;
">
And now deviceready fires quickly with all my plugins.
This seems to be a common issue with Ionic framework and there could be multiple reasons for it. One reason could be some issue with the plugin you use or could also be due to some issue in the platform folder. There seems to be an open issue on this in Ionic CLI project.
Following could be the possible fixes for this issue:
Removing the faulty plugins and re-adding the same
Removing the platform folder and re-adding the same.
Probably avoid using live reload option
If the problem is iOS specific, then you can try relaxing the content security policy
You can also have a look at this link
Hope this should help.
I am working with a hybrid-cordova application in iOS, in the latest version of cordova is adding this line to the headtag
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">
and when I am building in the simulator or device is returning this error:
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
This error appears when is the moment of the interaction with the server, blocking the ajax requests.
What am I doing wrong? please help!!!
The error message is telling you that your current content security policy prohibits requests to the domain you're making the request to, as you haven't specified that it is allowed to do so. Include this in the CSP tag:-
script-src https://yourajaxdomainhere
So it becomes
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; script-src https://yourajaxdomainhere; media-src *">
Also ensure the domain you're sending requests to is added as an allowed origin in your config.xml file.
<access origin="https://yourajaxdomainhere" />
More information on content security policy is here