I tried to add this in Jenkins Script Console, but it didn't help:
"-Dhudson.model.DirectoryBrowserSupport.CSP=default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"
How to do this? Or what is wrong?
You posted the start parameter for java. If you would like to test it inside the console try this:
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';")
If you want to change the property for every start, you can add:
-Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"
to your start parameter, so that it might look like:
java -Dhudson.model.DirectoryBrowserSupport.CSP="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';" -jar jenkins.war
If you need further informations, you can take a look at JENKINS Configuring Content Security Policy
The following lines worked for me:
System.clearProperty("hudson.model.DirectoryBrowserSupport.CSP")
System.clearProperty("jenkins.model.DirectoryBrowserSupport.CSP")
System.setProperty("jenkins.model.DirectoryBrowserSupport.CSP", "sandbox allow-same-origin allow-scripts; default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; font-src 'self' data:")
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox allow-same-origin allow-scripts; default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; font-src 'self' data:")
Related
I migrated a jhipster application generated with jhipster version 6.3.0.
Everything is right except swagger. I don't want for now to migrate to springdoc. I just kept springfox.
I get this exception when go to /admin/docs:
Refused to frame 'http://swagger.io/' because it violates the following Content Security Policy directive: "frame-src 'self' data:".
Should I change the CSP or something else ?
Right now I have this line in SecurityConfiguration
.contentSecurityPolicy("default-src 'self'; frame-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://storage.googleapis.com https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; img-src 'self' www.googletagmanager.com https://www.google-analytics.com data:; font-src 'self' https://fonts.gstatic.com data:")
Yes. It should work when adding http://swagger.io/ to frame-src in the CSP configuration. E.g.
...; frame-src 'self' http://swagger.io/ data:; ...
I solved the problem of CSP by using:
.and().frameOptions().sameOrigin().
But finally I had no choices. I was obliged to migrate to springdoc instead.
I'm getting this error message: Refused to load the image '<URL>' because it violates the following Content Security Policy directive: "img-src <URL> <URL> .
This is the Content Security Policy defined in "plugins": of package.json :
"devContentSecurityPolicy": "default-src 'unsafe-eval' 'self'; script-src-elem 'self' 'unsafe-inline'; img-src https://grasp.deals https://www.grasp.deals; style-src 'self' 'unsafe-inline'; font-src 'self' https://static2.sharepointonline.com; connect-src 'self' https: http:",
And the domain grasp.deal' seem working fine
So... what's wrong with my Content Security Policy configuration? What should I modify in order to make the leaflet page rendered in the electron page?
export default function App() {
return (
<div className="App">
<MapContainer center={center} zoom={13} style={{ height: "200px" }}>
<LayersControl position="topleft">
<LayersControl.BaseLayer checked name="Basic Map">
<TileLayer
attribution='© OpenStreetMap contributors'
url="https://grasp.deals/hot/{z}/{x]/{y}.png"
/>
</LayersControl.BaseLayer>
<LayersControl.BaseLayer name="Topo Map">
<TileLayer
attribution='Map data: © OpenStreetMap contributors, SRTM | Map style: © OpenTopoMap (<a href="https://creativecommons.org/licenses/by-sa/3.0/">>
url="https://grasp.deals/hot/{z}/{x}/{y}.png"
/>
</LayersControl.BaseLayer>
</LayersControl>
</MapContainer>
</div>
);
}
With img-src 'self' data: https:; in the Content Security Policy configuration:
"devContentSecurityPolicy": "default-src 'unsafe-eval' 'self';
script-src-elem 'self' 'unsafe-inline'; worker-src 'unsafe-eval';
img-src 'self' data: https:; style-src 'self' 'unsafe-inline';
font-src 'self' https://static2.sharepointonline.com; connect-src
'self' https: http:",
I get this time a different error message: GET https://grasp.deals/hot/13/%7Bx]/3089.png net::ERR_CERT_AUTHORITY_INVALID
<meta http-equiv="Content-Security-Policy"
content="default-src
gap://ready file://* *; script-src 'self' 'unsafe-inline' 'unsafe-eval' *;
style-src 'self' 'unsafe-inline' *"
>
Someone fix this issue by change the 'gap' value of meta tag , but this is not effect in my case.
Try this
<meta http-equiv="Content-Security-Policy" content="default-src * 'self' gap: ; img-src * 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' *; style-src 'self' 'unsafe-inline' *">
don't know why but the device ready event doesn't work anymore on xcode simulator, but it's works on my iphone device.
Here my function:
document.addEventListener('deviceready', onDeviceReady, false);
function onDeviceReady() {}
and the meta tag i have try but don't succeed:
<meta http-equiv="Content-Security-Policy" content="default-src * gap: ws: https://ssl.gstatic.com;img-src 'self' data: content:;style-src 'self' 'unsafe-inline' data: blob:;script-src * 'unsafe-inline' 'unsafe-eval' data: blob:;">
<meta http-equiv="Content-Security-Policy" content="default-src * gap://ready file:; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src * 'unsafe-inline' 'unsafe-eval'">
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">
<meta http-equiv="Content-Security-Policy" content="default-src * gap://ready file:; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src * 'unsafe-inline' 'unsafe-eval'">
it works also with the phonegap application on device.
If anyone have an idea, if you need more explications tell me.
Excuse me for my english.
Have you try removing all of your meta to exclude any other reasons?
Your onDeviceReady don't seems to return anything. How do you know it does not fired?
Something like this could help tracking.
function onDeviceReady() {
console.log('deviceready fired');
}
Ok, i was using mac os X on vmware and it was very slow, i have try with an other pc more powerfull and it's work... Just good to know that simulator bug if it's too slow to load
I am working with a hybrid-cordova application in iOS, in the latest version of cordova is adding this line to the headtag
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">
and when I am building in the simulator or device is returning this error:
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
This error appears when is the moment of the interaction with the server, blocking the ajax requests.
What am I doing wrong? please help!!!
The error message is telling you that your current content security policy prohibits requests to the domain you're making the request to, as you haven't specified that it is allowed to do so. Include this in the CSP tag:-
script-src https://yourajaxdomainhere
So it becomes
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; script-src https://yourajaxdomainhere; media-src *">
Also ensure the domain you're sending requests to is added as an allowed origin in your config.xml file.
<access origin="https://yourajaxdomainhere" />
More information on content security policy is here