I am getting the following error while setting the content-security-policy.
Error:
Refused to connect to 'http://localhost:3000/articles' because it
violates the following Content Security Policy directive: "default-src
'self' 'unsafe-eval' ws:". Note that 'connect-src' was not explicitly
set, so 'default-src' is used as a fallback.
I am explaining my code below.
<meta http-equiv="Content-Security-Policy"
content="default-src 'self' 'unsafe-eval' ws:;
style-src 'self' 'unsafe-inline';
script-src 'self' http://localhost:4200 'unsafe-inline' 'unsafe-eval';">
In my code I am also connecting to json server to read/write the data into json file which run at http://localhost:3000/articles but here I am getting those related error and this is my angular4 code. I need some help to resolve this error.
If I understand your question right, I think your angular app runs on localhost:4200 and the API service on localhost:3000? This would explain why you have got that CSP warning as the request is from different source according to your current CSP configuration.
Also, ideally, the CSP should be delivered via HTTP header which means you will need some kind of server backing to support that. For example, you can have a ASP.NET app that hosts the angular app and the CSP then can be configured via web.config file.
In your case, if it's purely frontend, then perhaps you could alter your CSP setting to something like this. Hopefully it works for you.
<meta http-equiv="Content-Security-Policy"
content="default-src 'self' http://localhost:3000/ 'unsafe-eval' ws:;
style-src 'self' 'unsafe-inline';
script-src 'self' http://localhost:4200 'unsafe-inline' 'unsafe-eval';">
Related
Can someone explain me how can i add CSP meta tag to my header?
i tried adding different meta tag to my header but i get more error from CSP
<meta http-equiv="Content-Security-Policy" content="default-src 'self' https:*//api.mapbox.com/mapbox-gl-js/v2.3.1/mapbox-gl.js;">
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data:gap 'unsafe-eval' ws: ; style-src 'self' 'unsafe-inline' script-src *; media-src *; font-src *; connect-src *; img-src 'self' data: content:;">
console error stack
It looks like you already have a published CSP via an HTTP header because a console error saying:
it violates the following Content Security Policy directive "default-src 'self'"
while your meta tag contains other default-src sources: default-src 'self' https:*//api.mapbox.com/mapbox-gl-js/v2.3.1/mapbox-gl.js
You can check the CSP response HTTP header that you have, the tutorial is here.
In this case by adding meta tag you'll have 2 CSPs which will work independently each other, therefore CSP in HTTP header will continue to block your scripts.
Node.js has a Helmet middleware in dependancies, Helmet 4 automatically publishes a default CSP via HTTP header. Check it.
In this case you have 2 opts:
disable Helmet's CSP: app.use( helmet({ contentSecurityPolicy: false, }) ); and use a meta tag.
configure CSP header via Helmet (preferred way).
BTW you have errors in the:
default-src 'self' data:gap 'unsafe-eval' ws: ; style-src 'self' 'unsafe-inline' script-src *; media-src *; font-src *; connect-src *; img-src 'self' data: content:;
data:gap is a wrong source, use data: or data: gap: depending on what you need.
missed ; before script-src
I'm working on a developing an app for a university project using Cordova so it's my first time using it. As part of it, I've managed to implement an API from Reed Jobs and this is working fine in Chrome, however it won't work on the iOS emulator - there are no errors but the page just doesn't load any data.
I'm using $.getJSON("reed.php", function(data) in my JavaScript to call my data, and then my PHP is as follows...
<?php
$username = "username";
$password = "";
$remoteUrl = 'https://www.reed.co.uk/api/1.0/search?locationName=leeds&distancefromlocation=15&partTime=true&temp=true';
$opts = array(
'http'=>array(
'method'=>"GET",
'header' => "Authorization: Basic " . base64_encode("$username:$password")
)
);
$context = stream_context_create($opts);
// Open the file using the HTTP headers set above
$file = file_get_contents($remoteUrl, false, $context);
print($file);
?>
After reading some suggestions, I've tried adding <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *;**script-src 'self' https://www.reed.co.uk/ 'unsafe-inline' 'unsafe-eval';** "> to my html page, but this presents me a list of errors in my console:
Unrecognized Content-Security-Policy directive '**script-src'.
Unrecognized Content-Security-Policy directive '**'.
Refused to load the script 'https://code.jquery.com/jquery-3.3.1.min.js' because it violates the following Content Security Policy directive: "default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'default-src' is used as a fallback.
Refused to load the stylesheet 'https://use.fontawesome.com/releases/v5.6.3/css/all.css' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.
Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Poppins:300,500,700,900' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.
Refused to load the script 'https://code.jquery.com/jquery-3.3.1.min.js' because it violates the following Content Security Policy directive: "default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'default-src' is used as a fallback.
Uncaught ReferenceError: $ is not defined
at index.js:31
Uncaught ReferenceError: $ is not defined
at window.onload
And then I also tried adding <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'; connect-src http://reed.co.uk https://reed.co.uk"> which gave me the error of:
Refused to connect to 'https://example.com/reed.php' because it violates the following Content Security Policy directive: "connect-src http://reed.co.uk https://reed.co.uk".
Can anybody help me? My understanding of the meta tags is not very established.
Your CSP is set to http://reed.co.uk https://reed.co.uk but your call points to https://example.com
Try this?
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'; connect-src http://reed.co.uk https://reed.co.uk https://example.com">
My chrome extension should fetch some remote resources from 3rd party API through HTTP request.
const getBoards = callback => {
fetch("https://gloapi.gitkraken.com/v1/glo/boards", {
credentials: "include"
})
.then(response => { ... })
.catch(err => { ... });
};
Unfortunately it throws the following error:
Refused to connect to 'https://gloapi.gitkraken.com/v1/glo/boards' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
After a bit of research, I found the chrome requirements to include the url in the manifest permissions and CSP string.
"permissions": [ ..., "https://gloapi.gitkraken.com/" ],
"content_security_policy": "default-src 'self' gloapi.gitkraken.com; script-src 'self' 'sha256-[...]'; style-src * 'unsafe-inline'; img-src 'self' data:;"
But instead of solving the first error these changes just caused another.
Ignored insecure CSP value "gloapi.gitkraken.com" in directive 'default-src'.
Is my CSP formatting wrong, or there's something else I should do in order to make this GET HTTP request work.
After a bit more of research I found a solution. The URL of the GitKraken API should be in connect-src property, instead of default-src. So my manifest now looks like this:
permissions: [ ..., "https://gloapi.gitkraken.com/" ],
"content_security_policy": "default-src 'self'; script-src 'self' 'sha256-[...]'; style-src * 'unsafe-inline'; img-src 'self' data:; connect-src https://gloapi.gitkraken.com/;"
More information:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src#Syntax
I'm working on an ember addon leveraging PDF.js and ember-cli at version 2.18.2 and I'm noticing that PDF.js injects inline styles. The Content-Security-Policy-Report-Only header specifies style-src 'self'; which results in the logs of ember serve exploding with CSP violations being reported to the server via the report only uri with the following message:
Content Security Policy violation:
{
"csp-report": {
"document-uri": "http://localhost:4200/tests/index.html?testId=46b61910",
"referrer": "http://localhost:4200/tests/index.html",
"violated-directive": "style-src",
"effective-directive": "style-src",
"original-policy": "default-src 'none'; script-src 'self' localhost:7020 0.0.0.0:7020 undefined:7020; font-src 'self'; connect-src 'self' ws://localhost:7020 ws://0.0.0.0:7020 ws://undefined:7020 http://localhost:4200; img-src 'self'; style-src 'self'; media-src 'self'; report-uri http://localhost:4200/csp-report;",
"disposition": "report",
"blocked-uri": "inline",
"line-number": 5270,
"column-number": 23,
"source-file": "http://localhost:4200/assets/test-support.js",
"status-code": 200,
"script-sample": ""
}
}
Seeing as the applications we're building that will consume this addon control their own CSP and allows for inline styling, I'd like to disable these warnings but having difficulty tracking down how to do so.
Is it possible to customize the report-only CSP in an Ember.js addon's dummy app?
Setting CSP options is supported via the ember-cli-content-security-policy addon.
Providing the following configuration in tests/dummy/config/environment.js will prevent the usage of inline styling from having warnings reported by the console and serve logs:
module.exports = function(environment) {
var ENV = {
...
contentSecurityPolicy: {
'style-src': ["'self'", "'unsafe-inline'"],
...
If I open any .html file that generated by Robot Framework and try to convert it in any other format(for example, docx formate) using either any python code or inbuilt command line tool that are available. I am getting below error,
Opening Robot Framework log failed
• Verify that you have JavaScript enabled in your browser.
• Make sure you are using a modern enough browser. Firefox 3.5, IE 8, or equivalent is required, newer browsers are recommended.
• Check are there messages in your browser's JavaScript error log. Please report the problem if you suspect you have encountered a bug.
· I am getting this error even though I have already enabled JavaScript in my browser.I am using Mozilla Firefox version 45.0.2 on mac.
Can anyone please help me to solve this issue?
Answer is explained at Jenkins issue tracking system: https://issues.jenkins-ci.org/browse/JENKINS-32118
To resolve your problem you must :
Connect on your Jenkins URL (http://[IP]:8080/)
Click on Manage Jenkins from left side panel.
Click on Script Console
Copy this into the field
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP","sandbox allow-scripts; default-src 'none'; img-src 'self' data: ; style-src 'self' 'unsafe-inline' data: ; script-src 'self' 'unsafe-inline' 'unsafe-eval' ;")
Click on Run button.
Execute your Jenkins build.
I managed to make it work by editing the file /etc/sysconfig/jenkins and adding
-Dhudson.model.DirectoryBrowserSupport.CSP=
to the JENKINS_JAVA_OPTIONS setting. On my installation, the setting looks like
JENKINS_JAVA_OPTIONS="-Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP= "
Then restart jenkins
service jenkins restart
Sources
https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy
System properties management
We used to face same issue, however since we did not have access to jenkins, we could do it at client side be installing CSP plugin on chrome and enabling the plugin.
Running below code in Script Console of Manage Jenkins will work
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP","sandbox allow-scripts; default-src 'none'; img-src 'self' data: ; style-src 'self' 'unsafe-inline' data: ; script-src 'self' 'unsafe-inline' 'unsafe-eval' ;")
But whenever you start Jenkins then you have to execute this every time. Instead of this if you use this when you are starting Jenkins by using of batch file with below code then it will be better than this process
java -Dhudson.model.DirectoryBrowserSupport.CSP="sandbox allow-scripts; default-src 'none'; img-src 'self' data: ; style-src 'self' 'unsafe-inline' data: ; script-src 'self' 'unsafe-inline' 'unsafe-eval' ;" -jar jenkins.war
The easiest thing to do is (if there are no worries on security aspects) also a permanent fix.
open the jenkins.xml file and
add the following
<arguments>-Xrs -Xmx256m -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -Dhudson.model.DirectoryBrowserSupport.CSP="" -jar "%BASE%\jenkins.war" -- httpPort=8080 --webroot="%BASE%\war"</arguments>
restart the jenkins server
rerun your jenkins jobs to see the result files.
If we are using the script console, every time you restart the jenkins server, the changes will be lost.
The accepted answer works for me but is not persistent. To make it persistent, modify the file /etc/default/jenkins and after JAVA_ARGS line, add the following line:
JAVA_ARGS="$JAVA_ARGS -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-scripts; default-src 'none'; img-src 'self' data: ; style-src 'self' 'unsafe-inline' data: ; script-src 'self' 'unsafe-inline' 'unsafe-eval' ;\""
Change will apply and be persistent after reboot
Please follow these steps to configure content security policies around Jenkins should resolve this issue:
1. Go to Jenkins
2. Click on Manage Jenkins
3.Click on Script Console
4.Enter unset header text shown in content security policies: System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "")
Click Run
The output should just show Result. If you see any thing other than this, that mean content policy is not updated successfully
If you are still facing the issue, please add the error details, what you tried, so we would be able to help you
The configuration change persists for me with Jenkins 2.235.2 installed via yum on CentOS 7 by placing the following content in a new file at $JENKINS_ROOT/init.groovy, changing ownership of the file to the jenkins user, and then restarting Jenkins with service jenkins restart
import jenkins.model.Jenkins;
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP","sandbox allow-scripts; default-src 'none'; img-src 'self' data: ; style-src 'self' 'unsafe-inline' data: ; script-src 'self' 'unsafe-inline' 'unsafe-eval' ;");
For me editing JAVA_ARGS in /etc/default/jenkins didn't work. To make changes permanent on Ubuntu 18.04 LTS when running Jenkins as service I did following:
Run service jenkins status and from second line take path to actual service configuration file, mine was: /lib/systemd/system/jenkins.service
Run sudo vim /lib/systemd/system/jenkins.service find property Environment= under comment Arguments for the Jenkins JVM
Paste: -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-scripts; default-src 'none'; img-src 'self' data: ; style-src 'self' 'unsafe-inline' data: ; script-src 'self' 'unsafe-inline' 'unsafe-eval' ;\" behind -Djava.awt.headless=true
Run sudo service jenkins stop, you should see following warning: Warning: The unit file, source configuration file or drop-ins of jenkins.service changed on disk. Run 'systemctl daemon-reload' to reload units.
Run sudo systemctl daemon-reload
Run sudo service jenkins start
You should be now able to browse robot framework results after restart.