I have an app written in angular 8. When I run locally the map is working, but when I test the same data on production it is going grey and does not work.
Local:
Working locally map
Production:
Empty map in production
I've set no application restrictions and still, the problem exists.
#Edit 1: In the console there are no errors, but only warnings:
A cookie associated with a cross-site resource at http://google.com/ was set without the `SameSite` attribute.
A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`.
You can review cookies in developer tools under Application>Storage>Cookies and see more details at
https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
Related
I am working on a web application, containing multiple views, that is using the ASP.NET framework for the backend and the Angular framework for the frontend. When running this web application on my local machine, every view loads without issue, returning the 200 - OK status. However, when I deploy and run my application in the Azure dev environment, one view is intermittently returning a 404 - Not Found status. All of the other views seem to be working fine, with the exception of this one.
Also, when I look at the console, it appears that the URL being requested by the front-end is the front-end URL, which it should not be requesting. It should be requesting the backend URL, which is what every other successful view is requesting.
Is there a general cause to this issue or do I need to provide more information regarding the code I am using? Thanks.
Assuming everything in the network but the app is working fine (example: no packet loss when your application's network traffic traverse public and private network) there are three possible causes
Client side lack of permission to access the object (please verify
messages exchanged between azure and your the browser with chrome
dev tools) and if is trueyou can you can configure Cross Origin
Resource Sharing (CORS) for the storage service the Angular client
is accessing;
Also is possible a SASAuthorizationError issue (Please check the
SASAuthorizationError in the metrics. Fault is non zero. Here is
explained)
last but not least please check in server-side logs if another
process deleted your target before frontend app can access
Using this tutorial I am able to setup AzureAD authentication on my application:
https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-asp-webapp
But I would like to be able to run it locally without using https. Is that possible?
If i change my redirecturi to http://localhost/mytestapp/ in my code and the azure application, I get an error: IDX21323: RequireNonce is 'System.Boolean'...
This is a known issue in Chromium browsers. Chrome won't save the cookie when using SameSite=None if the traffic is over HTTP.You can disable the flag at chrome://flags/#same-site-by-default-cookies to make it work with chrome.
For more details refer here.
I have a jasper server (versions 7.2) webapp running on Host-A.
Set the jasper server url source in Iframe of another app running on Host-B.
Access the Iframe app using Chrome/Edge - login page of jasper server loads.
After login credentials input, login is successful loads the Home page but logs out moment after the home page appears.
This does not happen with Firefox.
Tried disabling CSRF in Jasper server, setting samesite cookies enabling ssl, setting Referrer policy to no-referrer via Filters at both jasper server and Iframe app but no luck.
Chrome latest build 87.
Please guide under right direction to resolve the problem, Thank you.
I'm highly suspicious of same-site issues since the problem occurs in chrome & edge but not firefox. A patch or config change is needed for the newer version of chrome: https://community.jaspersoft.com/wiki/chromium-80-update-february-2020-cross-site-cookie-blocking-jaspersoft
Also, if the problem was CSRF, you'd see a CSRF related msg in the server-side logs.
Browser Developer Tools (f12 keyboard key in WIN) for chrome will list the http requests/responses in the network tab, and allow you to check the attributes for each cookie. Of course SSL is required for samesite attrs now in Chrome.
While confirming the appropriate cookie attributes are set (esp on the jsessionid cookie) you can also watch the console tab in chrome's Developer Tools to ensure there are no other client-side clues (like mixed http/https content, CORS blocks, etc)
I'm getting the following msgs in my console. How do I fix these?
A cookie associated with a cross-site resource at http://widgets.wp.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
A cookie associated with a cross-site resource at http://wp.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
A cookie associated with a cross-site resource at http://cloudflare.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
A cookie associated with a cross-site resource at http://www.facebook.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
A cookie associated with a cross-site resource at https://facebook.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
A cookie associated with a cross-site resource at http://wordpress.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
A cookie associated with a cross-site resource at https://wordpress.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
A cookie associated with a cross-site resource at http://support.wordpress.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
A cookie associated with a cross-site resource at https://public-api.wordpress.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
A cookie associated with a cross-site resource at http://public-api.wordpress.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
this is just a warning message about an upcoming update/ change and Chrome spreads the word about it. Cookies that match the domain of the current site are referred to as first-party cookies. Cookies from domains other than the current domain are referred to as third-party cookies.
CSRF attacks: cookies are attached to any request. For example, if you visit bad.domain.com then a cookie from that domain can trigger requests to your-site.domain.com. Your browser will happily attach the associated cookies. If your site doesn`t validate those requests then a cookie from bad.domain.com could roll out actions like adding content or even more stuff with the rights of your logged-in user.
I think you can`t do anything about it because the cookies are set by these sites.
Regards Tom
I am using OWASP's ZAP tool for vulnerability scanning, it shows alert for "secure page browser cache" vulnerability. Below are the details of ZAP alert:
Risk: Medium
Reliability: Warning
Description: Secure page can be cached in browser. Cache control is not set in HTTP header nor HTML header. Sensitive content can be recovered from browser storage.
Solution: The best way is to set HTTP header with: 'Pragma: No-cache' and 'Cache-control: No-cache'.
Alternatively, this can be set in the HTML header by:
but some browsers may have problem using this method.
Can you please tell me how this vulnerability will affect my application if its not fixed and how an attacker will user it to hack the application.
The problem is that information that should be kept private can be viewed by anyone with access to the files in the browser's cache directory.
This is a problem particularly with shared computers. If caching is not set properly, then anyone using the shared computer can view the private web pages after the original user has logged off the site which is hosting the secure material.
This can also be a problem if the computer has malware which can read files. The malware can gather information from the browser cache and transfer it off the computer.
Your application will not malfunction if the cache headers are not set properly. However, you might expose your users to the consequences of their private information being misused.