I created a new "SAP Fiori Launchpad Site Module" inside of an "Multi Target Application" project from the WebIde on "SAP HANA© XS Advanced Runtime on premise" (docker image store/saplabs/hanaexpressxsa:2.00.036.00.20190223.1) but I get this error after I deploy the application:
Refused to execute inline script because it violates the following Content Security Policy directive
Steps to reproduce the issue:
Create a new "Multi-Target Application Project" in the WebIde
Add a new "SAP Fiori Launchpad Site Module" to the application
Build the application
Deploy the application on SAP HanaXSA instance
Try to access the Fiori Launchpad
You should see the error in the browser console
I tried to use Chrome (Version 75.0.3770.142) and Firefox(68.0.1 (64-bit)) to access the site, but I get the same error.
I expected the Demo Fiori Site to be displayed, but instead an empty page is displayed and in the browser console the following errors are displayed:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' https://hxehost:51036 https://sapui5.hana.ondemand.com". Either the 'unsafe-inline' keyword, a hash ('sha256-NgEjsBnwasEV3qUuFB3e//lUSMnxA7QXX71JM5aiVDU='), or a nonce ('nonce-...') is required to enable inline execution.
sites:11 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' https://hxehost:51036 https://sapui5.hana.ondemand.com". Either the 'unsafe-inline' keyword, a hash ('sha256-4HLEOQTTt5/QjdzyAx+0u3MGo5aetBm29vv3z8YAFuE='), or a nonce ('nonce-...') is required to enable inline execution.
sites:108 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' https://hxehost:51036 https://sapui5.hana.ondemand.com". Either the 'unsafe-inline' keyword, a hash ('sha256-weH3XITqj/IJEeUfXbDsdCe+LEtDyDiafcdwfH3Aumw='), or a nonce ('nonce-...') is required to enable inline execution.
Related
I am implementing a feature using H2O Flow open source code. I am running into errors when calling an internal API
Refused to connect to "https://...." because it violates the following Security Policy directive: "default-src 'self' 'unsafe-eval' 'unsafe-inline'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
In my Facebook Instant Game I try to statically load scripts from cloudflare.com such as:
<script src="https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.5.7/es5-shim.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/gsap/1.20.2/TweenMax.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/pixi.js/4.8.5/pixi.min.js"></script>
But getting Chrome browser error:
Refused to load the script 'https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.5.7/es5-shim.min.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.facebook.com connect.facebook.net cdn.mixpnl.com *.google-analytics.com web.localytics.com *.googletagmanager.com blob: *.cloudfront.net *.amazonaws.com *.googleapis.com *.firebaseapp.com *.firebaseio.com *.8686c.com *.cncovs.com *.aliyun.com *.aliyuncs.com *.wsdvs.com *.console.re *.kunlunar.com *.layabox.com *.windows.net *.msecnd.net *.anysdk.com cdn.trackjs.com cdn.firebase.com *.kochava.com *.akamaized.net *.cocos.com *.hinet.net *.playfab.com code.createjs.com *.zdassets.com websdk.appsflyer.com ". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
Is there a way I can load scripts from cloudflare?
Content Security Policy is one of the ways to mitigate XSS (cross-site scripting) attack on your site/app.
To allow your site/app to load scripts from cdnjs.cloudflare.com, you'll need to add/append the domain in the script-src directive of your Content-Security-Policy HTTP response header.
A few of example implementations:
httpd.conf:
Header set Content-Security-Policy "script-src 'self' ...(snipped)... cdnjs.cloudflare.com;"
nginx.conf:
add_header Content-Security-Policy "script-src 'self' ...(snipped)... cdnjs.cloudflare.com;";
Then make sure to run checkconfig before reload or restart the httpd/nginx service.
I am new to Content Security Policy and am trying to apply a policy like
Google Fonts violates Content Security Policy
to a page referencing a stylesheet from google: https://fonts.googleapis.com/css?family=Raleway:300,400,700
The issue I am running into is that in chrome the developer tools console tells me that the style-src rule is not set and it is defaulting to default-src. In IE I am not getting these warnings.
Here is the console Error:
Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Raleway:300,400,700' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
Here is a capture of my header with fiddler:
Content-Security-Policy: default-src 'self' https:;script-src 'self' 'nonce-Ab4J0bSR7xiEFldCemz9' 'unsafe-eval';object-src 'self';style-src 'self' 'unsafe-inline' 'nonce-zGkHV0PmcLCJKhMH6H8V' https:;font-src 'self' https: data:
Is this a browser problem?
Turns out I had an extra declaration in the custom headers that was conflicting.
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="default-src 'self';" />
</customHeaders>
</httpProtocol>
after removing this, and reverting back to a clear tag the problem went away.
I'm trying to create a chrome app which requests access to firebase. I have set my CSP in manifest.json and I'm still getting CSP errors:
"Content_security_policy": "script-src 'self' https://www.gstatic.com/ https://*.firebaseio.com https://www.*.googleapis.com; style-src 'self' https://www.googleapis.com/ https://fonts.googleapis.com/; default-src 'self' https://*.firebaseio.com",
This is the error I keep getting:
firebase.js:375 Refused to load the script
'https://myapp.firebaseio.com/.lp?start=t&ser=30696138&cb=1&v=5'
because it violates the following Content Security Policy directive:
"default-src 'self' blob: filesystem: chrome-extension-resource:".
Note that 'script-src' was not explicitly set, so 'default-src' is
used as a fallback.
Errors:
Refused to load the script 'https://ssl.google-analytics.com/ga.js' because it violates the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
background.html:9 Refused to frame 'https://www.youtube.com/embed/' because it violates the following Content Security Policy directive: "frame-src 'self' data: chrome-extension-resource:".
Solve:
To resolve this issue, I tried adding
"content_security_policy": "script-src 'self' 'unsafe-eval'
https://www.youtube.com/ https://ssl.google-analytics.com/; object-src 'self'"
But then I get the warning:
'content_security_policy' is only allowed for extensions and legacy packaged apps, but this is a packaged app.
What should I do?
You can't load a script directly from the web. All scripts must be inside the Chrome App's folder. This may require you to download the script and place it into a folder that itself is inside the Chrome App folder.