The URL https://keycloak.uedasoft.com/ is refused to be the ancestor of the iframe by chrome, but contradictory the error is also reported as it is specified in the frame-ancestors as follows:
Refused to frame 'https://keycloak.uedasoft.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' https://keycloak.uedasoft.com/".
What is the possible cause?
It seems just chrome's inappropriate error message. Firebox reported it as follows:
404 Not Found
Actuary, I've confirmed firefox's message is correct for the root cause.
Related
I got a issue and can not using
use-places-autocomplete, I have try to fix it but still not resolve it
In env local, I load script google map not get any issue, but env production I got the following error.
Refused to load the script 'https://maps.googleapis.com/maps/api/js?v=weekly&key=xxxxxyyyyyyddđd&libraries=places&language=vi' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'unsafe-eval' www.googletagmanager.com connect.facebook.net www.googleadservices.com www.google-analytics.com googleads.g.doubleclick.net onesignal.com tpc.googlesyndication.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
This is how I try, but still can not fix it:
<meta httpEquiv="Content-Security-Policy" content="script-src 'self' 'unsafe-eval' 'unsafe-inline' developers.google.com maps.googleapis.com https://www.googletagmanager.com https://connect.facebook.net https://www.googleadservices.com https://www.google-analytics.com https://googleads.g.doubleclick.net https://onesignal.com https://tpc.googlesyndication.com;" />
And don't know where the other sources are called from, because I don't use it like: www.googletagmanager.com, connect.facebook.net, www.googleadservices.com, www.google-analytics.com, googleads.g.doubleclick .net,...
Looking forward to all the helpers. Thanks all.
Source:
NextJS: 11.1.2
You are on a right way (I mean an adding maps.googleapis.com into script-src), but looks like you already published CSP via HTTP header, therefore your <meta> tag is not working.
Check if you already have a CSP header, a manual is here.
If you already have a CSP header, you need to make corrections to it, and not publish the second CSP in the meta tag.
It is very likely that your CSP header is published by Helmet middleware, it's in NodeJS dependencies.
I have added the following content security policy in my manifest
"content_security_policy":"script-src 'self' https://www.gstatic.com/ https://*.firebaseio.com https://www.googleapis.com; object-src 'self'",
and have the following code in the header of my HTML file:
<script src="https://www.gstatic.com/firebasejs/7.11.0/firebase-app.js"></script>
And yet I still get this issue when loading firebase/gstatic scripts in my popup html:
Refused to load the script 'https://www.gstatic.com/firebasejs/7.11.0/firebase-app.js' because it violates the following Content Security Policy directive: "script-src 'self' blob: filesystem:". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
I have 3 other scripts that are also to be loaded in the header from gstatic, but they also fail. What am I doing wrong?
I need load a HTML file in a iframe but i get the next error:
Refused to display 'http://localhost:8080/xxxxxx/resources/xxxxx.html' in a frame because it set 'X-Frame-Options' to 'DENY'.
¿How do I set X-FRAME-OPTIONS header in my Jboss Server? I think I must do it in standalone.xml file but I'm not sure.
Thanks!
Here is the direct error message I am getting from the Chrome dev tools:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src
'sha256-1nVQdHiAzq+yQt4PZ8OE7a29XlxBFIzESqqj+rz4Jdc=' 'self'". Either
the 'unsafe-inline' keyword, a hash
('sha256-1nVQdHiAzq+yQt4PZ8OE7a29XlxBFIzESqqj+rz4Jdc='), or a nonce
('nonce-...') is required to enable inline execution.
Now it seems to me that it is saying that the policy with the hash doesn't contain the needed hash. Am I missing something in my syntax? I get the CSP error from Firefox as well (though with fewer details).
Here's the header directly:
Content-Security-Policy:default-src 'self'; style-src 'sha256-1nVQdHiAzq+yQt4PZ8OE7a29XlxBFIzESqqj+rz4Jdc=' 'self';
today I tried hosting font-awesome css files and font files on my cdn, and run into a problem. When loading the page on the google chrome console it displays the following message below.
Font from origin 'http://cdn.craftrp.co.uk' has been blocked from loading by Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://craftrp.co.uk' is therefore not allowed access.
I have added the following code to a .htaccess file, I have 1 in the root and 1 in the fonts folder with the following code inside the .htaccess file
<FilesMatch ".(eot|ttf|otf|woff)">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
I also tried the code suppleid by bootstrap, https://www.maxcdn.com/one/tutorial/htaccess-example-collection//
But still it remained to error...