I am busy creating a Google chrome extension, and under the new rules of manifest V.3, you are no longer allowed to run any remote script and this gets blocked by the Content Security Policy (CSP).
Firebase Realtime Database has two ways of communicating. Websockets being the primary, and long polling being the fallback or secondary.
The way it usually works is that if a Websockets connection fails, it reverts to long-polling, if long polling is successful it goes back to Websockets. But if your CSP is blocking the long poll, I am then stuck and the app can never connect again.
Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
2.b786d402.chunk.js:2 Refused to load the script 'https://xxxx-default-rtdb.europe-west1.firebasedatabase.app/.lp?start=t&ser=75721928&cb=1&v=5&p=1:592645519845:web:db72abd212b7364c72170c&ns=tonews-default-rtdb' because it violates the following Content Security Policy directive: "script-src 'self'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
I can revert this by removing the extension and re-installing it.
I have found some posts online, where its mentioned I could just change my configuration.
The solution recommends just changing 'databaseURL' field in the firebase config to start with wss:// instead of https://...
This works, for about a week or so, but thereafter I get stuck in CSP prison again..or does it? Hard to tell since reinstalling the extension solves the problem anyway, and is required to apply the new changes..
"firebase": "^9.6.1",
"name": "xxxx",
"description": "xxxxxxxxxxx",
"version": "1.0",
"manifest_version": 3,
"action": {
"default_popup": "index.html",
"default_title": "Open the popup"
},
"chrome_url_overrides": {
"newtab": "index.html"
},
"content_security_policy": {
"extension_pages": "script-src 'self'; object-src 'self'",
"sandbox": "sandbox allow-scripts; script-src 'self' 'https://apis.google.com/' 'https://www.gstatic.com/' 'https://*.firebaseio.com' 'https://*.firebasedatabase.app' 'https://www.googleapis.com' 'https://ajax.googleapis.com'; object-src 'self'"
},
"icons": {
"16": "favicon-16x16.png",
"48": "favicon-32x32.png",
"128": "android-chrome-192x192.png"
}
}
I'm honestly stuck and very frustrated because even if I do find a fix, it's hard to verify it..
Related
I am trying to download a .pdf stored on firebase-storage from my web application (Vue.js + Nuxt.js)
But got this error
Access to fetch at
'https://firebasestorage.googleapis.com/v0/b/************o/chats%2F96U5ERFOmHBGswQhDhaR%2Fdc8c9b64-6bdb-4cd0-b0a9-f59e18f10113?alt=media'
from origin 'https://example.com' has been blocked by CORS policy:
No 'Access-Control-Allow-Origin' header is present on the requested
resource. If an opaque response serves your needs, set the request's
mode to 'no-cors' to fetch the resource with CORS disabled.
What I have tried so far is to install #nuxtjs/proxy and configure it like this:
nuxt.config.js
proxy: ["https://firebasestorage.googleapis.com/v0/b/*************"],
modules:[
'#nuxtjs/proxy',
]
But error is still there
You need to do the changes on firebase.
Create a file cors.json
[
{
"origin": [ "https://example.com" ],
"method": [ "GET" ],
"maxAgeSeconds": 3600
}
]
And upload it via gsutil (Windows)
gsutil cors set cors.json gs://<your bucket>
I'm trying to check the website a user just came from to my site against a whitelist of allowed domains:
import cherrypy
import urlparse
referer = cherrypy.request.headers.get('Referer','/').lower()
domain = urlparse.urlparse(referer).netloc
if domain in ('mysite.org','whitelistedsite.com'):
... do stuff ...
But my cherrypy is sitting behind NGINX (as a reverse-proxy), so I get nothing back.
('X-Forwarded-Host', 'this.org')
('Host', 'this.org')
How can I get around this? Or is it impossible without editing NGINX, which I cannot do.
More general information about cherrypy behind NGINX reverse-proxy is here
https://www.digitalocean.com/community/tutorials/how-to-deploy-cherrypy-web-applications-behind-nginx-reverse-proxy
Short answer is that Nginx shouldn't me masking the referer. Nginx will mask the Host header, and you need to use the proxy tool in order for cherrypy.request.remote.ip and cherrypy.request.base to be set based on host the original agent sent. But Referer should be passed unchanged.
It's possible (though seems unlikely) that your hosting provider would remove the referer header.
For example, I have a service that will echo the request headers with this handler:
class System:
#cherrypy.expose
def headers(self):
return cherrypy.request.headers
That server is sitting behind Nginx, and when I make a request to it with a referer, I see it in the output:
proj master $ curl https://api.tentob.com/system/headers/ -H 'Referer: jaraco did it'
{"Remote-Addr": "::1", "Host": "svc.example.com", "X-Real-Ip": "99.99.99.99", "X-Forwarded-For": "99.99.99.99", "X-Forwarded-Host": "svc.example.com", "X-Forwarded-Proto": "https", "Connection": "close", "User-Agent": "curl/7.54.0", "Accept": "*/*", "Referer": "jaraco did it"}
So your implementation as shown looks like it should work to me.
You should be careful, though. As you can see, it would be trivially-easy for an attacker to supply any old Referer they wish.
Cross-Post from serverfault
Since I have seen similar issues posted here, I will X-post my question from ServerFault (https://serverfault.com/questions/855120/multi-container-docker-on-aws-nginx-use-host-machine-etc-hosts-resolver). I hope this
is permitted.
I have a multi-container docker environment on Amazon Elastic Beanstalk with the following Dockerrun.aws.json file:
{
"AWSEBDockerrunVersion": 2,
"containerDefinitions": [
{
"name": "web",
"memoryReservation": 256,
"image": "my/nginx/repo/image",
"portMappings": [
{
"hostPort": 80,
"containerPort": 80
}
],
"links": [
"api"
],
"essential": true
},
{
"name": "api",
"memoryReservation": 256,
"image": "my-api/repo",
"essential": true,
"portMappings": [
{
"hostPort": 3000,
"containerPort": 80
}
]
}
]
}
Ultimately I want the node app served by nginx to resolve requests to named addresses from linked containers, so in my web image (node app) I'd like to make a request to http://api/some/resource and let nginx resolve that to the api container.
Now, since docker adds a host entry for the api container due to the specified link, I want the nginx server to resolve addresses from the hosts etc/hosts file, however as I found out, nginx uses it's own resolver. After researching the issue a bit I found out that in non-Elastic Beanstalk multi-container solutions and with user-defined networks, the resolver would be provided by docker on 127.0.0.11, however since it is currently not possible to define user-defined networks in the Dockerrun.aws.json, I keep looking for a different solution. The links can be resolved inside the container, pinging api does work, however, nginx does it's own thing there.
I have read about dnsmasq as well, however, I wanted to get this running without installing this package, do I even have a choice here ?
This is a service discovery topic, and I don't think this solution is in a right direction.
It is valid that links can be resolved to the App's IP; however, it must follow the starting order - App first and then Nginx. If the App recreates, or scales after Nginx started, /etc/hosts in Nginx won't be changed. It is possible to recreate the Nginx for updating the /etc/hosts, but then all the connections to the Nginx will be disconnected.
Since you are using Amazon Elastic Beanstalk, I think a better solution is to use Consul (Service Discovery) + Registrator (Service Registration ) + Nginx (with SRV support, Plus or third party).
Personally, I have done a similar thing without AEB. I am using Docker Swarm (Service Discovery + Service Registration) + Nginx (with a modified HAproxy-SRV)
I hope this answer can help your decision.
Can I embed JupyterLab into a website? Currently it throws frame-ancestors self error. Is it possible to change some configuration to allow embedding this in an iframe?
Yes. The default setup of both JupyterHub and single-user Jupyter Notebook/Lab server is configured to prohibit outside domains from embedding the page. As a workaround, you can include your domain in the frame-ancestors directive:
jupyterhub_config.py:
c.JupyterHub.tornado_settings = {
'headers': {
'Content-Security-Policy':
"frame-ancestors 'self' http://yourdomain.com"
}
}
jupyter_notebook_config.py:
c.NotebookApp.tornado_settings = {
'headers': {
'Content-Security-Policy':
"frame-ancestors 'self' http://yourdomain.com"
}
}
If you are using a Kubernetes-based setup for the deployment, the configuration is slightly different and involves writing/building a Dockerfile of the single-user server with these configurations. You can check out my GitHub repo that I created a while back that will walk you through these steps.
I just started to learn Cordova. I created a project according to this url.This project runs OK in the Ripple emulator.But when I try to run it in Google Android Emulator.It can not get weather,and display the following information:
Refused to connect to 'https://query.yahooapis.com/v1/public/yql?q=select+*+from+weather.forecast+where+location=98052&format=json' because it violates the following Content Security Policy directive: "default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
jquery-2.1.4.min.js (4,14349)
Should I do something else to make this project run normal in Google Android Emulator.
Check this:
http://content-security-policy.com/#source_list
fix:
in sorce app directory:
www\index.html
in
https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">
i change 'self' by '*'
content="default-src *