I am implementing a feature using H2O Flow open source code. I am running into errors when calling an internal API
Refused to connect to "https://...." because it violates the following Security Policy directive: "default-src 'self' 'unsafe-eval' 'unsafe-inline'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
Related
I have the following CSP rule on my server:
connect-src 'self' https://exampleurl.test.pro/
But when a subroute of this url is being called it gets blocked by the CSP rule.
https://exampleurl.test.pro/ppms.php?action_name=example&rec=1&r=018609&h=9&m=21&s=34&url=https%3A%2F%2Fexample.azurewebsites.net%2F&urlref=https%3A%2F%2Flogin.example.com%2F&_id=45a27339c6f79315&_idts=1652252243&_idvc=1&_idn=0&_viewts=1652252243&send_image=1&ts_n=jstc_tm&ts_v=2.6.10&pdf=1&qt=0&realp=0&wma=0&dir=0&fla=0&java=0&gears=0&ag=0&cookie=1&res=2560x1440>_ms=747&pv_id=U3B9Xe
I get the following error:
ppms.js:12 Refused to connect to
'https://exampleurl.test.pro/ppms.php?action_name=example&rec=1&r=018609&h=9&m=21&s=34&url=https%3A%2F%2Fexample.azurewebsites.net%2F&urlref=https%3A%2F%2Flogin.example.com%2F&_id=45a27339c6f79315&_idts=1652252243&_idvc=1&_idn=0&_viewts=1652252243&send_image=1&ts_n=jstc_tm&ts_v=2.6.10&pdf=1&qt=0&realp=0&wma=0&dir=0&fla=0&java=0&gears=0&ag=0&cookie=1&res=2560x1440>_ms=747&pv_id=U3B9Xe'
because it violates the following Content Security Policy directive:
"connect-src 'self' https://exampleurl.test.pro/".
In my Facebook Instant Game I try to statically load scripts from cloudflare.com such as:
<script src="https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.5.7/es5-shim.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/gsap/1.20.2/TweenMax.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/pixi.js/4.8.5/pixi.min.js"></script>
But getting Chrome browser error:
Refused to load the script 'https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.5.7/es5-shim.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.facebook.com connect.facebook.net cdn.mixpnl.com *.google-analytics.com web.localytics.com *.googletagmanager.com blob: *.cloudfront.net *.amazonaws.com *.googleapis.com *.firebaseapp.com *.firebaseio.com *.8686c.com *.cncovs.com *.aliyun.com *.aliyuncs.com *.wsdvs.com *.console.re *.kunlunar.com *.layabox.com *.windows.net *.msecnd.net *.anysdk.com cdn.trackjs.com cdn.firebase.com *.kochava.com *.akamaized.net *.cocos.com *.hinet.net *.playfab.com code.createjs.com *.zdassets.com websdk.appsflyer.com ". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
Is there a way I can load scripts from cloudflare?
Content Security Policy is one of the ways to mitigate XSS (cross-site scripting) attack on your site/app.
To allow your site/app to load scripts from cdnjs.cloudflare.com, you'll need to add/append the domain in the script-src directive of your Content-Security-Policy HTTP response header.
A few of example implementations:
httpd.conf:
Header set Content-Security-Policy "script-src 'self' ...(snipped)... cdnjs.cloudflare.com;"
nginx.conf:
add_header Content-Security-Policy "script-src 'self' ...(snipped)... cdnjs.cloudflare.com;";
Then make sure to run checkconfig before reload or restart the httpd/nginx service.
I created a new "SAP Fiori Launchpad Site Module" inside of an "Multi Target Application" project from the WebIde on "SAP HANA© XS Advanced Runtime on premise" (docker image store/saplabs/hanaexpressxsa:2.00.036.00.20190223.1) but I get this error after I deploy the application:
Refused to execute inline script because it violates the following Content Security Policy directive
Steps to reproduce the issue:
Create a new "Multi-Target Application Project" in the WebIde
Add a new "SAP Fiori Launchpad Site Module" to the application
Build the application
Deploy the application on SAP HanaXSA instance
Try to access the Fiori Launchpad
You should see the error in the browser console
I tried to use Chrome (Version 75.0.3770.142) and Firefox(68.0.1 (64-bit)) to access the site, but I get the same error.
I expected the Demo Fiori Site to be displayed, but instead an empty page is displayed and in the browser console the following errors are displayed:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' https://hxehost:51036 https://sapui5.hana.ondemand.com". Either the 'unsafe-inline' keyword, a hash ('sha256-NgEjsBnwasEV3qUuFB3e//lUSMnxA7QXX71JM5aiVDU='), or a nonce ('nonce-...') is required to enable inline execution.
sites:11 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' https://hxehost:51036 https://sapui5.hana.ondemand.com". Either the 'unsafe-inline' keyword, a hash ('sha256-4HLEOQTTt5/QjdzyAx+0u3MGo5aetBm29vv3z8YAFuE='), or a nonce ('nonce-...') is required to enable inline execution.
sites:108 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' https://hxehost:51036 https://sapui5.hana.ondemand.com". Either the 'unsafe-inline' keyword, a hash ('sha256-weH3XITqj/IJEeUfXbDsdCe+LEtDyDiafcdwfH3Aumw='), or a nonce ('nonce-...') is required to enable inline execution.
I'm trying to create a chrome app which requests access to firebase. I have set my CSP in manifest.json and I'm still getting CSP errors:
"Content_security_policy": "script-src 'self' https://www.gstatic.com/ https://*.firebaseio.com https://www.*.googleapis.com; style-src 'self' https://www.googleapis.com/ https://fonts.googleapis.com/; default-src 'self' https://*.firebaseio.com",
This is the error I keep getting:
firebase.js:375 Refused to load the script
'https://myapp.firebaseio.com/.lp?start=t&ser=30696138&cb=1&v=5'
because it violates the following Content Security Policy directive:
"default-src 'self' blob: filesystem: chrome-extension-resource:".
Note that 'script-src' was not explicitly set, so 'default-src' is
used as a fallback.
Errors:
Refused to load the script 'https://ssl.google-analytics.com/ga.js' because it violates the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
background.html:9 Refused to frame 'https://www.youtube.com/embed/' because it violates the following Content Security Policy directive: "frame-src 'self' data: chrome-extension-resource:".
Solve:
To resolve this issue, I tried adding
"content_security_policy": "script-src 'self' 'unsafe-eval'
https://www.youtube.com/ https://ssl.google-analytics.com/; object-src 'self'"
But then I get the warning:
'content_security_policy' is only allowed for extensions and legacy packaged apps, but this is a packaged app.
What should I do?
You can't load a script directly from the web. All scripts must be inside the Chrome App's folder. This may require you to download the script and place it into a folder that itself is inside the Chrome App folder.