I am working with a hybrid-cordova application in iOS, in the latest version of cordova is adding this line to the headtag
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">
and when I am building in the simulator or device is returning this error:
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
This error appears when is the moment of the interaction with the server, blocking the ajax requests.
What am I doing wrong? please help!!!
The error message is telling you that your current content security policy prohibits requests to the domain you're making the request to, as you haven't specified that it is allowed to do so. Include this in the CSP tag:-
script-src https://yourajaxdomainhere
So it becomes
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; script-src https://yourajaxdomainhere; media-src *">
Also ensure the domain you're sending requests to is added as an allowed origin in your config.xml file.
<access origin="https://yourajaxdomainhere" />
More information on content security policy is here
Related
I migrated a jhipster application generated with jhipster version 6.3.0.
Everything is right except swagger. I don't want for now to migrate to springdoc. I just kept springfox.
I get this exception when go to /admin/docs:
Refused to frame 'http://swagger.io/' because it violates the following Content Security Policy directive: "frame-src 'self' data:".
Should I change the CSP or something else ?
Right now I have this line in SecurityConfiguration
.contentSecurityPolicy("default-src 'self'; frame-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://storage.googleapis.com https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; img-src 'self' www.googletagmanager.com https://www.google-analytics.com data:; font-src 'self' https://fonts.gstatic.com data:")
Yes. It should work when adding http://swagger.io/ to frame-src in the CSP configuration. E.g.
...; frame-src 'self' http://swagger.io/ data:; ...
I solved the problem of CSP by using:
.and().frameOptions().sameOrigin().
But finally I had no choices. I was obliged to migrate to springdoc instead.
I'm getting this error message: Refused to load the image '<URL>' because it violates the following Content Security Policy directive: "img-src <URL> <URL> .
This is the Content Security Policy defined in "plugins": of package.json :
"devContentSecurityPolicy": "default-src 'unsafe-eval' 'self'; script-src-elem 'self' 'unsafe-inline'; img-src https://grasp.deals https://www.grasp.deals; style-src 'self' 'unsafe-inline'; font-src 'self' https://static2.sharepointonline.com; connect-src 'self' https: http:",
And the domain grasp.deal' seem working fine
So... what's wrong with my Content Security Policy configuration? What should I modify in order to make the leaflet page rendered in the electron page?
export default function App() {
return (
<div className="App">
<MapContainer center={center} zoom={13} style={{ height: "200px" }}>
<LayersControl position="topleft">
<LayersControl.BaseLayer checked name="Basic Map">
<TileLayer
attribution='© OpenStreetMap contributors'
url="https://grasp.deals/hot/{z}/{x]/{y}.png"
/>
</LayersControl.BaseLayer>
<LayersControl.BaseLayer name="Topo Map">
<TileLayer
attribution='Map data: © OpenStreetMap contributors, SRTM | Map style: © OpenTopoMap (<a href="https://creativecommons.org/licenses/by-sa/3.0/">>
url="https://grasp.deals/hot/{z}/{x}/{y}.png"
/>
</LayersControl.BaseLayer>
</LayersControl>
</MapContainer>
</div>
);
}
With img-src 'self' data: https:; in the Content Security Policy configuration:
"devContentSecurityPolicy": "default-src 'unsafe-eval' 'self';
script-src-elem 'self' 'unsafe-inline'; worker-src 'unsafe-eval';
img-src 'self' data: https:; style-src 'self' 'unsafe-inline';
font-src 'self' https://static2.sharepointonline.com; connect-src
'self' https: http:",
I get this time a different error message: GET https://grasp.deals/hot/13/%7Bx]/3089.png net::ERR_CERT_AUTHORITY_INVALID
Question - so I am trying to use the protractor-beautiful-reporter on my jenkins install. This is an agular app. However when the page is rendered showing that the angular bit isn't working. Looking at the console for the page shows the following:
Content Security Policy: The page’s settings blocked the loading of a
resource at
https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js
(“script-src http://dskvm4981-iis:8080 'unsafe-inline'
'unsafe-eval'”).
I already use a couple of setProperty to override CSP for the machine. These are:
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';")
System.setProperty("jenkins.model.DirectoryBrowserSupport.CSP", "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';")
Anyone know how change the above to work from either a local file or a remote file?
One workaround would be to avoid having the report download Angular source at all by either requesting this kind of change on the protractor-beautiful-reporter issue tracker or forking the package copying the angular source and changing the source of the script from:
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js"></script>
to something like:
<script src="angular.min.js"></script>
having the minified angular js file downloaded to be near the index.html itself.
This is no more than a workaround, of course.
I update Jenkins security settings to support allure report
System.setProperty(“hudson.model.DirectoryBrowserSupport.CSP", "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';")
it works fine ,now I need to add
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox allow-scripts;")
for HTML report
how can I combine both settings into 1 ?
Thanks , Mor
looks like this one
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src 'none'; img-src 'self'; style-src 'self'; child-src 'self'; frame-src 'self';")
do the trick
don't know why but the device ready event doesn't work anymore on xcode simulator, but it's works on my iphone device.
Here my function:
document.addEventListener('deviceready', onDeviceReady, false);
function onDeviceReady() {}
and the meta tag i have try but don't succeed:
<meta http-equiv="Content-Security-Policy" content="default-src * gap: ws: https://ssl.gstatic.com;img-src 'self' data: content:;style-src 'self' 'unsafe-inline' data: blob:;script-src * 'unsafe-inline' 'unsafe-eval' data: blob:;">
<meta http-equiv="Content-Security-Policy" content="default-src * gap://ready file:; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src * 'unsafe-inline' 'unsafe-eval'">
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">
<meta http-equiv="Content-Security-Policy" content="default-src * gap://ready file:; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src * 'unsafe-inline' 'unsafe-eval'">
it works also with the phonegap application on device.
If anyone have an idea, if you need more explications tell me.
Excuse me for my english.
Have you try removing all of your meta to exclude any other reasons?
Your onDeviceReady don't seems to return anything. How do you know it does not fired?
Something like this could help tracking.
function onDeviceReady() {
console.log('deviceready fired');
}
Ok, i was using mac os X on vmware and it was very slow, i have try with an other pc more powerfull and it's work... Just good to know that simulator bug if it's too slow to load