Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'".
I added datepicker in my crossrider crossplatform extension its opened properly but when i click on the dates of the calendar to select it gives me following error
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'".
What i suppose to do to resolve this issue, whoever knows to resolve this issue please reply fast, thanks in advance
You haven't provided any code which make it hard to determine the exact cause, but it's likely that is due to an inline script or similar which is violating the Content Security Policy. Commonly, the issue is resolved by loading the inline code from an external file and applying it using some jQuery or equivalent.
Related
In my TYPO3 9 LTS installation, when a request with an invalid (i.e. no TypoScript-configured) type number (PAGE.typeNum) comes in, my installation returns an ugly error message:
Example request: https://www.example.com?type=1234
Example response:
Service Unavailable (503)
The page is not configured! [type=1234][]. This means that there is no TypoScript object of type PAGE with typeNum=1234 configured.
More information regarding this error might be available online.
The more information link points to https://typo3.org/go/exception/CMS/1294587217 , but there currently isn't any helpful information how to better configure my installation.
These error messages are also annoying as they may be triggered by webcrawlers and each request creates an error entry in the TYPO system protocol.
What can I do to fallback to/serve the default type=0 HTML page if a requested type number is not configured?
AFAIK TYPO3 can currently not properly handle that. A 503 is generated, but the according errorHandler in the site configuration is not triggered.
At least the error message will be a bit less ugly ("Ooops, an error...") when you are in TYPO3_CONTEXT=Production ...
There is a feature request to make the unknown page type behave like 404: https://forge.typo3.org/issues/86844
For the time being I suggest adding redirects (301) for all types that you do not want to serve outside of TYPO3 (e.g. .htaccess RewriteRules or nginx rewrites).
I would like to use facebook connect with ionic / Cordova.
it requires Content-Security-Policy.
What are the most restricted values for the following parameters that will still enable to use the facebook connect.
style-src
script-src
connect-src
Make sure you understand all those values. style-src is needed when you load external styles. script-src when you load external scripts. connect-src when you - for example - use an AJAX call. connect-src would be needed for calls to the Graph API:: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
So if you load some JS SDK (like the FB JS SDK), and use it to do API Calls, you would need something like this: "script-src 'self' *.facebook.com; connect-src 'self' graph.facebook.com"
Not tested though. But with Cordova, as far as i remember, you can easily debug your App with Chrome Dev Tools, if you connect your phone. The console errors should tell you exactly what CSP value is missing.
Another thread that may help you: Cordova: CSP issue on Android when requesting data over HTTPS
In the end, just restrict as much as possible at the beginning and allow things one by one. You can easily find out what you need that way, and browser consoles do tell you exactly what´s missing and why.
This is the minimum requirements that worked for me, to use facebook connect from ionic / cordova.
Big thanks for #luschn for guidance and assistant to debug it properly.
<meta http-equiv="Content-Security-Policy"
content="style-src 'self' 'unsafe-inline';
script-src 'self' 'unsafe-inline' 'unsafe-eval'
http://localhost https://connect.facebook.net;
connect-src 'self'
https://*.mydomain.com <!-- Replace with your own
domain-->
https://*.facebook.net ws: wss:;
">
I'm using the code below in my htaccess but for some reason I'm getting an error message in the console. Any idea what the issue is?
Thanks,
<IfModule mod_headers.c>
Header set Content-Security-Policy "script-src 'self' https://maxcdn.bootstrapcdn.com/ https://oss.maxcdn.com/ https://cdnjs.cloudflare.com https://ajax.googleapis.com https://maps.googleapis.com https://fonts.googleapis.com/ https://www.facebook.com/ https://www.facebook.net/ https://connect.facebook.net https://connect.facebook.com"
</IfModule>
You have an inline script on your page, ie something like this:
<script>
...
</script>
This is either directly in your HTML or in a component used (e.g. a Facebook widget you pull in to you page adds this) or perhaps in a browser extension your browser uses.
You can allow this online script by adding unsafe-inline to your config like this:
<IfModule mod_headers.c>
Header set Content-Security-Policy "script-src 'unsafe-inline' 'self' https://maxcdn.bootstrapcdn.com/ https://oss.maxcdn.com/ https://cdnjs.cloudflare.com https://ajax.googleapis.com https://maps.googleapis.com https://fonts.googleapis.com/ https://www.facebook.com/ https://www.facebook.net/ https://connect.facebook.net https://connect.facebook.com"
</IfModule>
However this would defeat most of the protections of Content Security Policy (CSP) which is specifically designed to prevent rogue scripts running for your site to prevent security problems like Cross Site Scripting (XSS).
I suggest you read up a lot more on CSP before implementing it. Can suggest my own blog post here as a starter: https://www.tunetheweb.com/security/http-security-headers/csp/
I am developing a rummy game over the facebook. But after few days facebook canvas iframe is throwing an error which i have given below:
Not Found
The requested URL /stats.php was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Apache/1.3.41 Server at cabaniaseleden.com.ar Port 80
And here is the link of the application: rummy_game
So please help me out to remove this problem as soon as possible.
File Not Found,
check if you can direct open the file, if it's ok then you will have the ability to get this inside Facebook. Now it's not possible.
SSL Error - (SSL received a record that exceeded the maximum permissible length),
maybe you are using a self signed ssl or missing Apache configuration.
Check your link's and have in mind that you will need a valid SSL.
Canvas is loaded correctly but pointing to non existing URL (http://cabaniaseleden.com.ar/stats.php), which should be fixed on your end by editing application settings:
I have just set up a custom tab on my page for the first time. I have thoroughly followed the setup guide and seem to have everything on the Facebook side setup correctly.
However when I view my page it throws the following error:
Method Not Allowed The requested method GET is not allowed for the
URL /Facebook/index.html. Additionally, a 404 Not Found error was
encountered while trying to use an ErrorDocument to handle the
request. Apache/1.3.41 Server at feebnaturals.com.au Port 80
I believe it may be some kind of Apache server config issue, however I'm not that Apache savvy, so not sure where to start.
I had the same problem, but instead of GET, it was POST method which was not allowed. This is a setting on your server. Not server savvy myself, but it seems that my provider didn't allow this method on html-page, but makes no problem on doing the same for php-pages. So all I did was rename my page from .html to .php, updated the app settings in facebook and all works fine now.
This is definitely an error on your side, check your server logs and see what they say - it looks like you've configured the page to only work via a POST request and it's being requested in a GET request