We Keep Coding

Content Security Policy for firefox extension/addon blocking scripts

I've been attempting to fix a content security policy error for my firefox addon (a new tab page) for weeks now. I've tried many different things but to no avail :(
My content security policy in manifest.json (v2):
"content_security_policy": "script-src * 'self' 'unsafe-inline' 'unsafe-eval' https://stripe.com/ https://js.stripe.com/ https://js.stripe.com/v3/ http://api.weatherapi.com/ https://api.mapbox.com/ localhost: blob:* ; worker-src * blob: ; child-src * blob: ; img-src * data: blob: ; connect-src * https://*.tiles.mapbox.com https://api.mapbox.com https://events.mapbox.com localhost: blob:* ;",
Errors shown in console:
Loading failed for the <script> with source “https://api.mapbox.com/mapbox-gl-js/v2.9.1/mapbox-gl.js”. index.html:1:1
Loading failed for the <script> with source “https://js.stripe.com/v3/”. index.html:1:1
Loading failed for the <script> with source “https://unpkg.com/flowbite#1.5.1/dist/flowbite.js”. index.html:1:1
Content Security Policy: The page’s settings blocked the loading of a resource at https://api.mapbox.com/mapbox-gl-js/v2.9.1/mapbox-gl.js (“script-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at https://js.stripe.com/v3/ (“script-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at https://unpkg.com/flowbite#1.5.1/dist/flowbite.js (“script-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). 2 moz-extension:1:1
Index.html:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<link rel="icon" href="%PUBLIC_URL%/favicon.ico">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="theme-color" content="#000000">
<meta name="description" content="The most beautiful places in the world on every new tab.">
<meta http-equiv="Content-Security-Policy" content="script-src * 'self' 'unsafe-inline' 'unsafe-eval' https://stripe.com/ https://js.stripe.com/ https://js.stripe.com/v3/ http://api.weatherapi.com/ https://api.mapbox.com/ localhost: blob:* ; worker-src * blob: ; child-src * blob: ; img-src * data: blob: ; connect-src * https://*.tiles.mapbox.com https://api.mapbox.com https://events.mapbox.com localhost: blob:* ;">
<!-- Flowbite -->
<link rel="stylesheet" href="https://unpkg.com/flowbite#1.5.1/dist/flowbite.min.css" />
<!-- Mapbox -->
<script src="https://api.mapbox.com/mapbox-gl-js/v2.9.1/mapbox-gl.js"></script>
<!-- Stripe -->
<script src="https://js.stripe.com/v3/"></script>
<script>
mapboxgl.workerUrl = "https://api.mapbox.com/mapbox-gl-js/v2.9.1/mapbox-gl-csp-worker.js";
</script>
<link rel="apple-touch-icon" href="%PUBLIC_URL%/logo192.png">
<!--
manifest.json provides metadata used when your web app is installed on a
user's mobile device or desktop. See https://developers.google.com/web/fundamentals/web-app-manifest/
-->
<!--
Notice the use of %PUBLIC_URL% in the tags above.
It will be replaced with the URL of the `public` folder during the build.
Only files inside the `public` folder can be referenced from the HTML.
Unlike "/favicon.ico" or "favicon.ico", "%PUBLIC_URL%/favicon.ico" will
work correctly both with client-side routing and a non-root public URL.
Learn how to configure a non-root public URL by running `npm run build`.
-->
<title>Wanderlust - Exploring new locations around the world.</title>
<script>
// It's best to inline this in `head` to avoid FOUC (flash of unstyled content) when changing pages or themes
if (
localStorage.getItem('color-theme') === 'dark' ||
(!('color-theme' in localStorage) &&
window.matchMedia('(prefers-color-scheme: dark)').matches)
) {
document.documentElement.classList.add('dark');
} else {
document.documentElement.classList.remove('dark');
}
</script>
</head>
<body>
<noscript>You need to enable JavaScript to run this app.</noscript>
<div id="root"></div>
<!--
This HTML file is a template.
If you open it directly in the browser, you will see an empty page.
You can add webfonts, meta tags, or analytics to this file.
The build step will place the bundled scripts into the <body> tag.
To begin the development, run `npm start` or `yarn start`.
To create a production bundle, use `npm run build` or `yarn build`.
-->
<script src="https://unpkg.com/flowbite#1.5.1/dist/flowbite.js"></script>
</body>
</html>
I have an inline script, a personal API i request from, and external scripts (mapbox, flowbite, stripe and a few others). Thanks for your help!

Cloud Build with Github trigger not working: testIamPermissions not found on server

I am trying to implement an automation using Python and Google Cloud Run, and the automation is running well. But to avoid having to manually deploy it everytime, I am tryin to implement Github trigger in Cloud Build.
I created a dockerfile, the yaml file, requirements, etc., just as recommended here and here.
It all starts fine, the dockerfile, yaml and requirements are used properly, but in step 3 I get an error:
Details of the error follows:
Step #2: Status: Downloaded newer image for gcr.io/google.com/cloudsdktool/cloud-sdk:latest
Step #2: gcr.io/google.com/cloudsdktool/cloud-sdk:latest
Step #2: ERROR: (gcloud.run.deploy) HTTPError 404: <!DOCTYPE html>
Step #2: <html lang=en>
Step #2: <meta charset=utf-8>
Step #2: <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
Step #2: <title>Error 404 (Not Found)!!1</title>
Step #2: <style>
Step #2: *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}#media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}#media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}#media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
Step #2: </style>
Step #2: <a href=//www.google.com/><span id=logo aria-label=Google></span></a>
Step #2: <p><b>404.</b> <ins>That’s an error.</ins>
Step #2: <p>The requested URL <code>/v1/projects/[prject-id]/locations/REGION/services/[application]:testIamPermissions</code> was not found on this server. <ins>That’s all we know.</ins>
Step #2:
Finished Step #2
ERROR
ERROR: build step 2 "gcr.io/google.com/cloudsdktool/cloud-sdk" failed: step exited with non-zero status: 1
I believe I granted all required permissions, but I can't seem to resolve the issue.

Figured out the issue: the region was incorrect in the yaml file.

Issue uploading PostAction plugin in Datafusion

We are trying to implement a custom post action plugin for Datafusion. The plugin build is successful. When i try to upload the Jar and Json file. It fails with below error
<!DOCTYPE html>
<html lang=en>
<meta charset=utf-8>
<meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
<title>Error 502 (Bad Gateway)!!1</title>
<style>
*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}#media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/logos/errorpage/error_logo-150x54.png) no-repeat;margin-left:-5px}#media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/logos/errorpage/error_logo-150x54-2x.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/logos/errorpage/error_logo-150x54-2x.png) 0}}#media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/logos/errorpage/error_logo-150x54-2x.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
</style>
<a href=//www.google.com/><span id=logo aria-label=Google></span></a>
<p><b>502.</b> <ins>That’s an error.</ins>
<p> <ins>That’s all we know.</ins>
How to debug this issue as at build time we do not see any issues.

Publishing to Azure Mobile Service with Lets Encrypt certificate gives Runtime Error

I have set up a new Azure Mobile App Service instance which has been working fine. The only thing I can think that I've done to the server side configuration is add a Lets Encrpyt certificate to provide SSL support using the Lets Encrypt Azure Extension.
Now, when I publish, I get a Runtime Error. Looking in the Azure streaming logs, I can see the following every time I hit the application URL:
2017-06-29T13:54:07 Welcome, you are now connected to log-streaming service.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>IIS Detailed Error - 500.0 - Internal Server Error</title>
</head>
<body>
<div id="content">
<div class="content-container">
<h3>HTTP Error 500.0 - Internal Server Error</h3>
<h4>The page cannot be displayed because an internal server error has occurred.</h4>
</div>
<div class="content-container">
<fieldset><h4>Most likely causes:</h4>
<ul> <li>IIS received the request; however, an internal error occurred during the processing of the request. The root cause of this error depends on which module handles the request and what was happening in the worker process when this error occurred.</li> <li>IIS was not able to access the web.config file for the Web site or application. This can occur if the NTFS permissions are set incorrectly.</li> <li>IIS was not able to process configuration for the Web site or application.</li> <li>The authenticated user does not have permission to use this DLL.</li> <li>The request is mapped to a managed handler but the .NET Extensibility Feature is not installed.</li> </ul>
</fieldset>
</div>
<div class="content-container">
<fieldset><h4>Things you can try:</h4>
<ul> <li>Ensure that the NTFS permissions for the web.config file are correct and allow access to the Web server's machine account.</li> <li>Check the event logs to see if any additional information was logged.</li> <li>Verify the permissions for the DLL.</li> <li>Install the .NET Extensibility feature if the request is mapped to a managed handler.</li> <li>Create a tracing rule to track failed requests for this HTTP status code. For more information about creating a tracing rule for failed requests, click here. </li> </ul>
</fieldset>
</div>
<div class="content-container">
<fieldset><h4>Detailed Error Information:</h4>
<div id="details-left">
<table border="0" cellpadding="0" cellspacing="0">
<tr class="alt"><th>Module</th><td> AspNetInitializationExceptionModule</td></tr>
<tr><th>Notification</th><td> BeginRequest</td></tr>
<tr class="alt"><th>Handler</th><td> ExtensionlessUrlHandler-Integrated-4.0</td></tr>
<tr><th>Error Code</th><td> 0x00000000</td></tr>
Has anyone come across this problem before?

OK< bit of an obscure and edge case one this, but thought I'd leave it here with the answer in case it helps someone.
I created the site and published it with it all working fine. I then changed the assembly name to fit in with my project naming standards and re-published, without selecting 'DELETE ALL FILES' becuase it would wipe out the Lets Encrypt extension settings. However, this lef the old DLL's hanging around in the \bin directory meaning there were two OWIN startup classes being found!
Deleting the old one fixed the issue.

Facebook debugger scrapes default Apache page instead mine

I made a site: http://pravo-trans.eu/
There is all needed og meta tags. But when I want to share link on any social networks nothings happens. I thought it might be cach. But when I used facebook debugger, it said:
The 'og:type' property is required, but not present.
And it's not true because I wrote in <head> this:
<meta property="og:title" content="Проект правовой помощи людям" />
<meta property="og:type" content="website" />
<meta property="og:image" content="/transgender-project.jpg" />
<meta property="og:description" content="Бесплатные юридические консультации и представительство по делам о смене документов (внесение изменений в записи о рождении, паспорта, трудовые книжки, документы об образовании и другие документы)" />
<meta property="og:url" content="http://pravo-trans.eu/" />
<meta property="og:locale" content="ru_RU" />
<link rel="canonical" href="http://pravo-trans.eu/" />
And most strange thing for me happen when I click on "See exactly what our scraper sees for your URL". There I saw that debugger parsed Apache default page instead mine! https://developers.facebook.com/tools/debug/og/echo?q=http%3A%2F%2Fpravo-trans.eu%2F
How it can be and how I can fix it?

After several hours of trying to debug this issue and playing with DNS settings/servers, I have a solution that works for me.
I noticed that requests from Facebook were coming from an IPv6 server, but my Apache VirtualHost declarations did not include the IPv6 address. To debug, I changed the following line in my Apache .conf file:
<VirtualHost IPv4:80>
to:
<VirtualHost IPv4:80 [IPv6]:80>
...and immediately upon restarting Apache, Facebook was able to successfully scrape my site. (Replace IPv4/IPv6 above with your actual addresses of course.)
If by chance you are using Parallels Plesk, as am I, then this is not a permanent solution because Plesk will rewrite the configuration files, so you have to go into the Plesk panel and make sure that your server's IPv6 address is assigned to the Subscription that owns the domain in question. In my case, only the IPv4 was assigned to the subscription.
The setting can be found under "Change Hosting Settings" for each particular Subscription.