Refused to connect to [url] because it violates the following Content Security Policy directive - facebook

I am the author of a Chrome extension that allows to translate status updates and comments right on Facebook: https://chrome.google.com/webstore/detail/facebook-translate/plofenifjagmdikfcobngnfmmnfmphin
For some days now, my users and me are getting an error in the error console that sais:
Refused to connect to 'https://api.microsofttranslator.com/V2/Http.svc/Translate?appId=&text=Chrome-Integration%3A+Google+bringt+Google+Now+auf+Desktop-PCs&to=en&contentType=text%2Fhtml' because it violates the following Content Security Policy directive: "connect-src https://.facebook.com http://.facebook.com https://.fbcdn.net http://.fbcdn.net *.facebook.net .spotilocal.com: https://.akamaihd.net ws://.facebook.com:* http://*.akamaihd.net".
In my chrome extension I did set the content security policy as follow:
"content_security_policy": "script-src 'self' https://ssl.google-analytics.com; object-src 'self'"
The URIs in the error console, however, are FB URIs only so that's why I'm thinking Facebook did update their site to restrict access to remote URIs. I'm not certain if it could be a Chrome issue, so sorry if I started the topic on the wrong stackoverflow network. :)
Can anyone confirm (and maybe point me to a possible solution for) this issue? Thanks everyone!

Extensions should bypass a page's Content Security Policy when executing XMLHTTPRequest from a content script. They currently aren't, which is a bug. I've filed https://bugs.webkit.org/show_bug.cgi?id=104480 to take a look at fixing it.
Are you executing XHR from your extension's content script, or are you executing it in the background page? The latter should work right now.

The error message says your are trying to connect to 'https://api.microsofttranslator.com/ domain which is not specified in connect-src of CSP Directive
It seems you have listed
"connect-src
https://.facebook.com
http://.facebook.com
https://.fbcdn.net
http://.fbcdn.net *.facebook.net .spotilocal.com:
https://.akamaihd.net ws://.facebook.com:*
http://*.akamaihd.net".
the above domains for connect-src policy, add the new domain microsofttranslator.com if it is valid.
Let me know if you need more information.

i had this problem out of the blue
paused ad-blocker on the domain, and now it works

Related

Error on Login using Facebook PHP SDK with Strict Mode Enabled

I got a notification from Facebook saying that they will invalidate calls from URIs not listed in the Valid OAuth redirect URIs this coming March 2018 and I think they are requiring us to Enable Strict Mode for Redirect URIs. Link about this can be found here.
I have been using their PHP SDK with Strict Mode disabled for a year now without any problem however when I do enable strict mode and place there the redirect url which is: https://nino-dot-dynamic-osprey-93721.appspot.com/admin/fb-callback_admin.php - it returns an error as seen below each time I try to Login with Facebook:
Graph returned an error: Can't Load URL: The domain of this URL isn't included in the app's domains. To be able to load this URL, add all domains and subdomains of your app to the App Domains field in your app settings.
Note that I'm simply using FB's default PHP SDK Login code (https://developers.facebook.com/docs/php/howto/example_facebook_login) which have login.php and fb-callback.php links and I'm not using any custom OAuth workflows.
I noticed that the redirect URL generated contains the code and state parameters:
site.com/admin/fb-callback_admin.php?code=somecode&state=somestate
I think this is the reason why I'm getting the error because it only expects a redirect URL of https://nino-dot-dynamic-osprey-93721.appspot.com/admin/fb-callback_admin.php without any trailing parameters.
How do you guys think of getting around this issue of Enabling Strict Mode given that the response of the redirect URL through the below code:
$helper = $fb->getRedirectLoginHelper();
$permissions = ['email']; // Optional permissions
$loginUrl = $helper->getLoginUrl('https://nino-dot-dynamic-osprey-93721.appspot.com/admin/fb-callback_admin.php', $permissions);
echo htmlspecialchars($loginUrl);
is generated from FB's PHP SDK by default?
Change
$accessToken = $helper->getAccessToken()
to
$accessToken = $helper->getAccessToken('http://www.example.com/admin/fb-callback_admin.php');
I had the same issue and found this answer in this thread, which seems to resolve the problem for me:
Graph returned an error: Can't Load URL: The domain of this URL isn't included in the app's domains
Not sure why this works, though, but glad it did.
I was facing the same issue, Actually, this comes from the facebook graph sdk.
I got this information from here
Also, a quick and dirty change that seemed to fix this error for me
was adding 'code' to the list of params to remove in
FacebookRedirectLoginHelper
later facebook itself released the updated package which seems fixed the issue.
make sure you have the latest version of facebook-graph-sdk at the time of this answer, the version is 5.6.2

Policy file error while loading new profile pictures from Facebook

As you might know, for loading images from Facebook in our application (in my case AS3) we have to load following policy file:
Security.loadPolicyFile('https://fbcdn-profile-a.akamaihd.net/crossdomain.xml');
otherwise we get following error:
SecurityError: Error #2122: Security sandbox violation: Loader.content: http://test cannot access http://profile.ak.fbcdn.net/v22941/254/15/q652310588_2173.jpg A policy file is required, but the checkPolicyFile flag was not set when this media was loaded.
you can find related question here.
I have a Facebook application that is running for long time without problem, but what I am facing today which is bizarre, is that the application gives the same security error message while loading NEW PROFILE PICTURE, and for the profile pictures that have been uploaded about 2-3 weeks ago or earlier, there is no problem.
My question is that did Facebook change its policy? Is it a problem form my side or something is wrong from Facebook? I have googled to see if the Facebook's policy or something else has been changed, but I did not found any clue.
If you go to https://fbcdn-profile-a.akamaihd.net/crossdomain.xml you will see that it returns an error (403 Forbidden: You don't have permission to access /36477/crossdomain/pics-crossdomain.xml on this server) so Flash never gets a valid crossdomain file.
This is an issue that Facebook needs to address.
I know of no way to have Flash ignore crossdomain errors.

Jenkins embeddable build status icon not shown

I want to use the Embeddable Build Status Plugin for Jenkins. I am using Cloudbees. I granted Job/ViewStatus permissions to the anonymous user. When I add the Markdown to the README.md no icon is shown. I tried both the protected and the unprotected link.
# protected
[![Build Status](https://johnjohndoe.ci.cloudbees.com/job/TypedPreferences/badge/icon)](https://johnjohndoe.ci.cloudbees.com/job/TypedPreferences/)
# unprotected
[![Build Status](https://johnjohndoe.ci.cloudbees.com/buildStatus/icon?job=TypedPreferences)](https://johnjohndoe.ci.cloudbees.com/job/TypedPreferences/)
By default DEV#cloud Jenkins instances are not visible, at all, to anonymous users. If you have configured role-based security and want anonymous users to have the selected roles, configure your system and check the box Enable read-only access for anonymous users.
Well, the question has been asked some time ago, but for others reaching it here, having the problem, that the image is still not shown within the Readme.md on GitHub/GitHub-Enterprise after performing the above mentioned configuration:
Make sure that both services are using the same protocol. In my case, we had GitHub-Enterprise running under HTTPS and Jenkins was running on HTTP.
The badge will not be shown in this case because of the possible security breach introduced by mixed content. You will find an appropriate error message in the console output of your browser (i.e. F12 in Chrome):
Mixed Content: The page at 'https://.../README.md' was loaded over HTTPS,
but requested an insecure image 'http://.../job/master/badge/icon'.
This request has been blocked; the content must be served over HTTPS.
It's of course quite obvious but something that can also be easily missed when searching on the wrong track.
I had an issue with space in the project name, so do not forget to replace spaces with %20
example:
[![Build Status](../Long%20Project%20Name/...)](.../Long%20Project%20Name/...)

Like button on content will not work until URL is submitted to Facebook debug tool

I'm troubleshooting an issue where the Like button won't work on my site unless the URL is submitted to the Facebook debug tool.
When I hit like I'm seeing two requests fire to comment_widget_shell.php. Once succeeds (302 found), while the other fails, showing a status "(canceled)" and type "pending":
The successful request:
Request URL:http://www.facebook.com/plugins/comment_widget_shell.php?locale=en_US&master_frame_name=f236db264&offsetX=0&sdk=joey
Request Method:GET
Status Code:302 Found
The failed request:
Request URL:https://www.facebook.com/plugins/comment_widget_shell.php?locale=en_US&master_frame_name=f236db264&offsetX=0&sdk=joey
As of the writing of this question, here is an example URL where like fails:
http://www.zujava.com/geisha-makeup
I iniitally thought it was this Stack Overflow issue, as the site runs on a platform somewhat similar to Heroku, but for Drupal (Pantheon) and I can't reproduce the issue locally. However, I contacted Pantheon support and they reported the Heroku limitation does not exist on Pantheon.
I'm not sure what other tools I can use to debug this. My article pages get a clean report from the Facebook Debugger. Any ideas or tips of what I can look deeper into?
I have had pretty good luck with pantheon. If your just trying to get a like button on drupal why not use http://drupal.org/project/fb_social/ I have used this in d7 and d6 and I have never had a problem.
Pantheon should be able to handle a request to facebook for sure
thanks
Nick

Trying to get OAuth dialog to work

I am at this step in getting my app started in the documentation:
https://developers.facebook.com/docs/appsonfacebook/tutorial/#auth
In there is a code block that (supposedly) forwards the user to a request dialog asking permission to access certain bit of information about them. I've placed this code block into the PHP script that my canvas URL points to, and changed the $app_id and $canvas_page to my application ID and canvas URL respectively. Instead of getting the expected dialog, I receive this following error from facebook:
"An error occurred. Please try again later."
No other details about the error are present. I've tried some variations of the script, and have even tried loading up this URL directly just to see if that would work. Note that I've replaced YOUR_APP_ID and YOUR_CANVAS_PAGE with the appropriate values and made sure that spelling and/or punctuation are correct:
https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri=YOUR_CANVAS_PAGE&scope=email,read_stream
For the redirect URL, I've tried prepending it with http://, https://, and no prefix at all. All with the same result.
My question: is the example in the documentation broken, or is the oauth link provided in the documentation currently down? The vague nature of the error is somewhat frustrating since I can't tell if it's something I'm doing wrong or if it's facebook's oauth function that's at fault.
So, the problem was that instead of using the numeric application ID that facebook assigned for me when I originally created the app as the YOUR_APP_ID parameter in the OAuth URL, I was using the application namespace string. Facebook didn't understand this sort of request, and returned the generic error message.
Once I used the numeric app ID, the OAuth dialog popped up to ask permission to access my account, as expected.