I've got an internal web application. This is a webforms .net 4.x application. It uses the ajax control toolkit along with the updatepanel. Specifically, it uses the tabcontainer/tabpanels a lot. I had a problem getting the tabcontainer/tabpanels to work until I opened up the csp. I did that several years. I have a content security policy setup in my web.config file:
<add name="Content-Security-Policy" value="style-src 'self' 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval'" />
This csp allows for everything to work. Now, I have two problems:
The security folks have listed the current csp as a low risk security issue and would like me to change it. It's low risk, but I would like to provide some type of solution to this if possible. I've read several posts about how hard it is to get the ACT to work right with CSP, so it may not be possible. I've tried to create a ACT bundle and just send that down, but I get an error message in the Chrome inspector saying that is a 404 iirc. Everything works, but I don't like the 404 error. Removing the bundle in the script manager seems to work and does not create any additional errors. Has anyone else noticed a 404 error in google chrome inspect with an ACT bundle in the script manager?
I have recently had to add two more tabs. These two tabs have an iframe that displays content from another internal website. to get this to work under the tabs, I have to actually remove the csp. I don't think that they will like the removed csp.
I have tried to play with a csp to load some test content from google. Unfortunately, the following csp does not work. I would think it would load from the current local server and a google site. Unfortunately, the content from google.com does not load. Chrome gives me an unhappy face trying to load. Suggestions are appreciated on how to only load content from the local server and a single remote server.
<add name="Content-Security-Policy" value="frame-src 'self' *.google.com; style-src 'self' 'unsafe-inline' 'unsafe-eval' *.google.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.google.com" />
So, the question (thanks pkalkins), how do I add the ability to include an iframe containing content from another internal site so that the iframe correctly displays content within that iframe? I have used the google.com site as just an example that I test with here on my remote system.
Thanks in advance for any thoughts or suggestions. :-)
Wally
Related
I have an iFrame which I only wanted to be embeddable on a specific website. For this I found the the following code
Header set Content-Security-Policy: "frame-ancestors https://..."
I put this code into my .htaccess file and it worked perfectly when testing it on my laptop. But when I access the specific URL where the iFrame should be allowed to be embedded with my smartphone (Android + iOS), it's blocked. I searched some time on Google but couldn't find a hint or way to change this.
Hope you can help me out on this.
Edit:
I searched through the net and tested a lot of stuff but nothing works. My .htaccess looks like this:
Header set Content-Security-Policy: "frame-ancestors domain1 domain2/embed.php?id=1;"
domain2/embed.php?id=1 includes the videosource which I want to embed on another website. When calling this domain the video is ready to go in my browser. When I check the console on MAC (this seems to be a Safari problem) I get the following error message:
The source list for Content Security Policy directive 'frame-ancestors' contains a source with invalid path: '/embed.php?id=1'. The query component, including the "?" will be ignored.
Refused to load domain2/embed.php?id=1 because it does not appear in the frame-ancestors directive of the Content Security Policy.
When inserting https://domain2 or domain2 in the frame-ancestors line nothing changes, the video is still not available in Safari. I read that I have to insert the link in the error message to the frame-ancestors but then the ? will be ignored and the video can't be displayed.
There must be someone who has a suggestion to this problem or?
I am trying to get the browser link to work on a .net core asp.net application. Although I am setting the CSP properly (at least I think I am), Chrome seems to be using a default. Here is what I see in the console:
This is what I have in the shared layout used by all views:
This is the source rendered on the browser (Chrome) when pressing Ctrl+U:
The part that is confusing is that the error messages in the console are saying that the default-src is set to 'self' which is clearly not the case; I am specifying default-src https://localhost:*;
Am I missing something here or is this a google Chrome issue? Maybe is a setting I am not aware of, but I've scoured the web and have not found a solution for this issue.
The part that is confusing is that the error messages in the console are saying that the default-src is set to 'self' which is clearly not the case; I am specifying default-src https://localhost:*;
That's because your asp.net app publishes CSP via HTTP header (you can see it).
So you have 2 CSPs delivered: one via meta tag and second - via HTTP header. In this case both are applied consequentially and a strictest one does block.
Check web.config file for lines like:
<add name="Content-Security-Policy" value="default-src 'self'" />
<content-Security-Policy enabled="true">
Also check the NWebsec NuGet package settings - it can publish CSP header via web.config file, via middleware or via MVC attributes:
NWebsec.AspNetCore.Mvc package provides configure CSP via MVC attributes.
NWebsec.AspNetCore.Mvc.TagHelpers package includes Tag helpers to manage the script and style 'nonces'.
NWebsec.AspNetCore.Middleware package includes OWIN CSP middleware.
You have to use meta tag or HTTP header to publish Content Security Policy, but not both at the same time.
I have an issue on a Wordpress website in which the Google Maps doesn't load on Firefox and Safari specifically. The map shows blank and a message Loading map...that never ends on those 2 browsers.
This curious message in yellow is displayed on the browser on Google Chrome:
jquery.min.js?ver=1.11.1:4 Cross-Origin Read Blocking (CORB) blocked cross-origin response https://github.com/googlemaps/js-map-label/blob/gh-pages/src/maplabel.js?_=XXXXXXXXXX with MIME type text/html. See https://www.chromestatus.com/feature/5629709824032768 for more details.
and in Firefox it displays the following message also as a yellow alert:
Loading failed for the <script> with source “https://github.com/googlemaps/js-map-label/blob/gh-pages/src/maplabel.js?_=XXXXXXXXX”.
Any clue on what it only works in Chrome and not in Firefox and Safari? Any clue how to solve it?
Thank you
As from the error, your CSP (Content Security Policy) does not allow you to load scripts from github.com domain.
You can :
Edit your content-security-policy headers to allow https://github.com loading. You can do it from your Apache/Nginx settings, or from PHP (if you use it) but I prefer handling those headers from web-server config.
CSP can also be managed using header meta tag
As you're directly serving from Github, you may need to change the default-src as content-type is text/html. I don't know if the script-src will handle it.
Download and upload the script to your server. Like this, it'll be loaded from the same domain, and should not throw CSP error.
Also:
Using files directly from GitHub is not the best idea. As you can see here and from your console error with MIME type text/html, Github serve your JS file as text/html instead of application/javascript.
It would be better to use a proper CDN (if a CDN serving your file exist), or store the file on your server.
I'm using Meteor's browser-policy packages for maintaining CSP in my app.
Recently I loaded some script from other domain that initiates a Web Worker to run some other script (blob).
Then I get the following error (latest Chrome):
Refused to create a child context containing 'blob:http%3A//localhost%3A3000/6057c8e1-a4ed-4d5e-ac97-230d5b1e99f3' because it violates the following Content Security Policy directive: "default-src 'self' ... list of all allowed domains... . Note that 'child-src' was not explicitly set, so 'default-src' is used as a fallback.
How can I set child-src for my app requests? Should I do it manually or there is any easier way to do that?
Thanks!
You can install the package browser-policy to solve this issue.
meteor add browser-policy
Then you can add this in your server code:
BrowserPolicy.content.allowOriginForAll('blob:');
I've loaded Disquss on my Wordpress website, which is running on HTTPS. The problem is that while the comments are shown at the bottom of the webpage, they are white (and since the background of the page is also white, they are not visible).
If I open Inspector in Chrome, the following error is printed to the Console tab.
Refused to execute inline script because it violates the following
Content Security Policy directive: "script-src https://*.twitter.com:*
https://api.adsnative.com/v1/ad.json *.adsafeprotected.com *.google-analytics.com https://glitter-services.disqus.com
https://*.services.disqus.com:* disqus.com http://*.twitter.com:*
a.disquscdn.com api.taboola.com referrer.disqus.com *.scorecardresearch.com
*.moatads.com https://admin.appnext.com/offerWallApi.aspx 'unsafe-eval'
https://mobile.adnxs.com/mob *.services.disqus.com:*". Either the 'unsafe-
inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required
to enable inline execution.
This happens because of the Popup Blocker Extension in Chrome, but I would like to enable it with content security policy: http://www.html5rocks.com/en/tutorials/security/content-security-policy/ . Basically, the error occurs in the chrome-extension://* scheme, so I need to add an appropriate entry to the Content-Security-Policy to allow chrome extensions.
How should I disable the security policy for chrome extensions?
This isn't something you can (or should) meaningfully solve. It's up to the extension vendor to properly implement themselves. The fact is the extension is attempting to inject inline code and it's being stopped by the Content Security Policy because the CSP is made to block it. As it should, since the extension is indistinguishable from malware from it's perspective.
You could (but should not) simply add rules to your site's Content Security Policy to allow the extension to run...but this is potentially dangerous, incredibly case-specific, and should basically only ever be done in an enterprise context in which everyone has a (poorly coded) browser extension that is required to work with your site. And even then re-coding the extension would generally be preferred.
How should I disable the security policy for chrome extensions?
Not. Additionally you can not.
I need to add an appropriate entry to the Content-Security-Policy to allow chrome extensions.
The CSP of extensions is part of the (local) extension.
while the comments are shown at the bottom of the webpage, they are white
Sounds like a matter of CSS to me ... what about color: black; for your text?
Or short: Websites are not able to mess with extensions. Which is good - I don't want facebook to disable my CSP and send my personal porn preferences (from PornLiner addon) to my profile.