Is there a way to pre compile Vue3 templates for client side rendering using Vite to avoid 'unsafe-eval' errors? Seems like Vue-Loader allowed template pre compilation but I am not finding the same option on Vite. Am I missing something?
Related
I am not using any middleware in NextJS but yet there still is a _middlewareManifest.js with self.__MIDDLEWARE_MANIFEST=[];self.__MIDDLEWARE_MANIFEST_CB&&self.__MIDDLEWARE_MANIFEST_CB() in it.
Can I disable the generation and inclusion of this file in some way?
I am trying to get the browser link to work on a .net core asp.net application. Although I am setting the CSP properly (at least I think I am), Chrome seems to be using a default. Here is what I see in the console:
This is what I have in the shared layout used by all views:
This is the source rendered on the browser (Chrome) when pressing Ctrl+U:
The part that is confusing is that the error messages in the console are saying that the default-src is set to 'self' which is clearly not the case; I am specifying default-src https://localhost:*;
Am I missing something here or is this a google Chrome issue? Maybe is a setting I am not aware of, but I've scoured the web and have not found a solution for this issue.
The part that is confusing is that the error messages in the console are saying that the default-src is set to 'self' which is clearly not the case; I am specifying default-src https://localhost:*;
That's because your asp.net app publishes CSP via HTTP header (you can see it).
So you have 2 CSPs delivered: one via meta tag and second - via HTTP header. In this case both are applied consequentially and a strictest one does block.
Check web.config file for lines like:
<add name="Content-Security-Policy" value="default-src 'self'" />
<content-Security-Policy enabled="true">
Also check the NWebsec NuGet package settings - it can publish CSP header via web.config file, via middleware or via MVC attributes:
NWebsec.AspNetCore.Mvc package provides configure CSP via MVC attributes.
NWebsec.AspNetCore.Mvc.TagHelpers package includes Tag helpers to manage the script and style 'nonces'.
NWebsec.AspNetCore.Middleware package includes OWIN CSP middleware.
You have to use meta tag or HTTP header to publish Content Security Policy, but not both at the same time.
We have a ASP.Net MVC 4, C# legacy internal application and recently when analyzing vulnerabilities on Production using Qualys Express scanner and we found below issue and recommends as well.
vulnerability -: Path-relative stylesheet import (PRSSI)
Recommended solution -:It is recommended to remove relative URLs and use absolute URLs in CSS imports.
Could you help me what sort of change need to be done to resolve this. I have seen few options as below and we cant do major changes since this is a legacy application.
Use X-Frame-Options and X-Content-Type-Options
Set modern <!doctype html>
Do not use relative paths
Path-relative style sheet import vulnerabilities
https://forums.asp.net/t/2119720.aspx?Path+relative+style+sheet+import+vulnerabilities
And I dnt have capable to run the vulnerabilities report again so that's why im trying to findout best option resolve this for our application and do the entire change that needed if it is possible.
Refused to load the script 'https://cdnjs.cloudflare.com/ajax/libs/p5.js/1.1.9/p5.min.js'
because it violates the following Content Security Policy directive: "script-src 'self'
https://cdn.jsdelivr.net/npm/p5#1.1.4/lib/p5.min.js". Note that 'script-src-elem' was not
explicitly set, so 'script-src' is used as a fallback.
I got this error while trying to make some chrome extension right now. I try to use p5.js library. But I still got this error several time. What is the death over here! Could you help me, please
I think the p5.js CDN service is not working well right now I install it manually. And then it works.
https://p5js.org/getstarted/#:~:text=Downloading%20a%20copy%20of%20the%20p5.js%20library
I'm using Meteor's browser-policy packages for maintaining CSP in my app.
Recently I loaded some script from other domain that initiates a Web Worker to run some other script (blob).
Then I get the following error (latest Chrome):
Refused to create a child context containing 'blob:http%3A//localhost%3A3000/6057c8e1-a4ed-4d5e-ac97-230d5b1e99f3' because it violates the following Content Security Policy directive: "default-src 'self' ... list of all allowed domains... . Note that 'child-src' was not explicitly set, so 'default-src' is used as a fallback.
How can I set child-src for my app requests? Should I do it manually or there is any easier way to do that?
Thanks!
You can install the package browser-policy to solve this issue.
meteor add browser-policy
Then you can add this in your server code:
BrowserPolicy.content.allowOriginForAll('blob:');