The first time it loads without an issue but, when I try to reload routes with query params like this localhost:4000/u?u=6222d4fd021b3080bc4aa6d4, it shows me this message.
This is the error message showed in Google console.
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'none'".
Although I have Content-Security-Policy in my index.html.
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https:; img-src 'self' data: https:; media-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https: sha256-ACotEtBlkqjCUAsddlA/3p2h7Q0iHuDXxk577uNsXwA=; font-src 'self' data: https:; connect-src 'self' wss: https:" />
This is the page source of the above page
Related
Im currently running into some issues with the deployment of Keycloak to a Server.
The server is running behind a Nginx-Proxy. Keycloak it self is running inside a Docker-Container. Everthing works fine until i try to add CSP-Header. I still can open the default page at /auth, but when i try to enter the admin section i only get one text notification.
{{notification.header}} {{notification.message}}
Image of the notification
Setup
Ubuntu 20.04
Keycloak 13.0.1
Keyclaok Settings
add_header Content-Security-Policy "default-src 'self'; fame-ancestors 'self'; object-src 'none' "
The CSP that you are trying to set is too tight (default-src 'self' is the issue). Unfortunately Keycloak needs (at least with Version 13) some unsafe-* policies to work properly. I ran into the same issue.
It worked for my setup with
default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; connect-src 'self'; form-action 'self'; frame-ancestors 'self'; object-src 'none';
but be aware, that thanks to the unsafe-* entries it will not be very safe at all.
Update for Keycloak 15.0.2
For Keycloak 15.0.2 the 'unsafe-eval' is no longer required! So the following CSP can be used:
default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; img-src 'self'; connect-src 'self'; form-action 'self'; frame-ancestors 'self'; object-src 'none';
I'm unable to understand the error. please help if anyone facing the same issue and got rid of it.
The Content Security Policy 'font-src 'self' 'unsafe-inline'; form-action geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.authorize.net 'self' 'unsafe-inline'; frame-ancestors 'self' 'unsafe-inline'; frame-src geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.authorize.net www.paypal.com www.sandbox.paypal.com 'self' 'unsafe-inline'; img-src widgets.magentocommerce.com www.googleadservices.com www.google-analytics.com t.paypal.com www.paypal.com www.paypalobjects.com fpdbs.paypal.com fpdbs.sandbox.paypal.com *.vimeocdn.com s.ytimg.com 'self' 'unsafe-inline'; script-src assets.adobedtm.com geostag.cardinalcommerce.com 1eafstag.cardinalcommerce.com geoapi.cardinalcommerce.com 1eafapi.cardinalcommerce.com songbird.cardinalcommerce.com includestest.ccdc02.com www.googleadservices.com www.google-analytics.com secure.authorize.net test.authorize.net www.paypal.com www.sandbox.paypal.com www.paypalobjects.com t.paypal.com s.ytimg.com video.google.com vimeo.com www.vimeo.com js.authorize.net jstest.authorize.net cdn-scripts.signifyd.com www.youtube.com js.braintreegateway.com 'self' 'unsafe-inline' 'unsafe-eval'; style-src getfirebug.com 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; media-src 'self' 'unsafe-inline'; manifest-src 'self' 'unsafe-inline'; connect-src geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com 'self' 'unsafe-inline'; child-src 'self' 'unsafe-inline'; default-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self' 'unsafe-inline';' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
4(index):1 [Report Only] Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Work+Sans:400,700.less' because it violates the following Content Security Policy directive: "style-src getfirebug.com 'self' 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.
(index):24 GET http://localhost/demo/pub/static/version1588683649/adminhtml/Magento/backend/en_US/mage/requirejs/mixins.js net::ERR_ABORTED 404 (Not Found)
(index):23 GET http://localhost/demo/pub/static/version1588683649/adminhtml/Magento/backend/en_US/requirejs/require.js net::ERR_ABORTED 404 (Not Found)
(index):34 GET http://localhost/demo/pub/static/version1588683649/adminhtml/Magento/backend/en_US/images/magento-icon.svg 404 (Not Found)
(index):24 GET http://localhost/demo/pub/static/version1588683649/adminhtml/Magento/backend/en_US/mage/requirejs/mixins.js net::ERR_ABORTED 404 (Not Found)
requirejs-config.js:18 Uncaught TypeError: require.config is not a function
at requirejs-config.js:18
at requirejs-config.js:19
at requirejs-config.js:643
(anonymous) # requirejs-config.js:18
(anonymous) # requirejs-config.js:19
(anonymous) # requirejs-config.js:643
60[Report Only] Refused to load the font '<URL>' because it violates the following Content Security Policy directive: "font-src 'self' 'unsafe-inline'".
This is because of the new module ( Magento_csp) added in Magento 2.3.5,
As of version 2.3.5, Magento supports CSP headers and provides ways to configure them. (This functionality is defined in the Magento_Csp module.) Magento also provides default configurations at the application level and for individual core modules that require extra configuration. Policies can be configured for adminhtml and storefront areas separately to accommodate different use cases. Magento also permits configuring unique CSPs for specific pages.
CSP can work in two modes:
report-only - In this mode, Magento reports policy violations but does not interfere. This mode isuseful for debugging. By default, CSP violations are written to the browser console, but they can be configured to be reported to an endpoint as an HTTP request to collect logs. There are a number of services that will collect, store, and sort your store’s CSP violations reports for you.
restrict mode - In this mode, Magento acts on any policy violations thus block any URLs those are added in the whitelist. This reduces cross-site scripting, credit card skimmers etc..
See more details here
https://devdocs.magento.com/guides/v2.3/extension-dev-guide/security/content-security-policies.html
CSP is not the reason of the problem. By default CSP works in Report-Only mode. The main reason of endless loading is:
(index):24 GET http://localhost/demo/pub/static/version1588683649/adminhtml/Magento/backend/en_US/mage/requirejs/mixins.js net::ERR_ABORTED 404 (Not Found)
(index):23 GET http://localhost/demo/pub/static/version1588683649/adminhtml/Magento/backend/en_US/requirejs/require.js net::ERR_ABORTED 404 (Not Found)
(index):34 GET http://localhost/demo/pub/static/version1588683649/adminhtml/Magento/backend/en_US/images/magento-icon.svg 404 (Not Found)
(index):24 GET http://localhost/demo/pub/static/version1588683649/adminhtml/Magento/backend/en_US/mage/requirejs/mixins.js net::ERR_ABORTED 404 (Not Found)
Perhaps you didn't clean the cache. Try to switch to developer mode and clean the cache:
$ ./bin/magento deploy:mode:set developer
$ ./bin/magento cache:clean
$ redis-cli FLUSHALL # if you have redis
The problem comes from the new Magento_csp module, one solution that I really find is to deactivate this module and move forward in your project.
bin/magento module:disable Magento_Csp
In my Facebook Instant Game I try to statically load scripts from cloudflare.com such as:
<script src="https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.5.7/es5-shim.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/gsap/1.20.2/TweenMax.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/pixi.js/4.8.5/pixi.min.js"></script>
But getting Chrome browser error:
Refused to load the script 'https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.5.7/es5-shim.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.facebook.com connect.facebook.net cdn.mixpnl.com *.google-analytics.com web.localytics.com *.googletagmanager.com blob: *.cloudfront.net *.amazonaws.com *.googleapis.com *.firebaseapp.com *.firebaseio.com *.8686c.com *.cncovs.com *.aliyun.com *.aliyuncs.com *.wsdvs.com *.console.re *.kunlunar.com *.layabox.com *.windows.net *.msecnd.net *.anysdk.com cdn.trackjs.com cdn.firebase.com *.kochava.com *.akamaized.net *.cocos.com *.hinet.net *.playfab.com code.createjs.com *.zdassets.com websdk.appsflyer.com ". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
Is there a way I can load scripts from cloudflare?
Content Security Policy is one of the ways to mitigate XSS (cross-site scripting) attack on your site/app.
To allow your site/app to load scripts from cdnjs.cloudflare.com, you'll need to add/append the domain in the script-src directive of your Content-Security-Policy HTTP response header.
A few of example implementations:
httpd.conf:
Header set Content-Security-Policy "script-src 'self' ...(snipped)... cdnjs.cloudflare.com;"
nginx.conf:
add_header Content-Security-Policy "script-src 'self' ...(snipped)... cdnjs.cloudflare.com;";
Then make sure to run checkconfig before reload or restart the httpd/nginx service.
I have added the below meta tag in index.html still my app is not working on ios 10? when i build on native device it is showing only splashscreen..
<meta http-equiv="Content-Security-Policy" content="default-src gap://ready file://* *; script-src 'self' 'unsafe-inline' 'unsafe-eval' *; style-src 'self' 'unsafe-inline' *">
Try to add the Content Security Policy as follows:
<meta http-equiv="Content-Security-Policy" content="img-src * android-webview-video-poster: 'self' data:; default-src * 'self' gap: wss: ws: ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval';">
Does this resolve your issue?
I'm trying to create a chrome app which requests access to firebase. I have set my CSP in manifest.json and I'm still getting CSP errors:
"Content_security_policy": "script-src 'self' https://www.gstatic.com/ https://*.firebaseio.com https://www.*.googleapis.com; style-src 'self' https://www.googleapis.com/ https://fonts.googleapis.com/; default-src 'self' https://*.firebaseio.com",
This is the error I keep getting:
firebase.js:375 Refused to load the script
'https://myapp.firebaseio.com/.lp?start=t&ser=30696138&cb=1&v=5'
because it violates the following Content Security Policy directive:
"default-src 'self' blob: filesystem: chrome-extension-resource:".
Note that 'script-src' was not explicitly set, so 'default-src' is
used as a fallback.