I'm using Meteor's browser-policy packages for maintaining CSP in my app.
Recently I loaded some script from other domain that initiates a Web Worker to run some other script (blob).
Then I get the following error (latest Chrome):
Refused to create a child context containing 'blob:http%3A//localhost%3A3000/6057c8e1-a4ed-4d5e-ac97-230d5b1e99f3' because it violates the following Content Security Policy directive: "default-src 'self' ... list of all allowed domains... . Note that 'child-src' was not explicitly set, so 'default-src' is used as a fallback.
How can I set child-src for my app requests? Should I do it manually or there is any easier way to do that?
Thanks!
You can install the package browser-policy to solve this issue.
meteor add browser-policy
Then you can add this in your server code:
BrowserPolicy.content.allowOriginForAll('blob:');
Related
Can someone help me in resolving Qualy's issue?
After Qualys scan, there is an issue that says to add the HTTP Only flag. I have set the HTTP Only flag in web.config of Asp.Net Application but it doesn't resolve. We are using Azure Active Directory (single Sign-On) authentication.
Don't know where I can set the flag to true. Moreover, in some blogs, they mentioned modifying NuGet packages.
I have attached the screenshot. please refer to it. Thanks in advance.
Flags are: wlidperf, ESTSAUTHLIGHT, brcap, ch, clrc
You can change the settings related to HTTPS Only option under the following root inside your Azure Dashboard:
Settings - Custom Domains - HTTPS Only
However, you have to checkup with your security options and configurations, because this can engender security related problems later down the road.
I am trying to get the browser link to work on a .net core asp.net application. Although I am setting the CSP properly (at least I think I am), Chrome seems to be using a default. Here is what I see in the console:
This is what I have in the shared layout used by all views:
This is the source rendered on the browser (Chrome) when pressing Ctrl+U:
The part that is confusing is that the error messages in the console are saying that the default-src is set to 'self' which is clearly not the case; I am specifying default-src https://localhost:*;
Am I missing something here or is this a google Chrome issue? Maybe is a setting I am not aware of, but I've scoured the web and have not found a solution for this issue.
The part that is confusing is that the error messages in the console are saying that the default-src is set to 'self' which is clearly not the case; I am specifying default-src https://localhost:*;
That's because your asp.net app publishes CSP via HTTP header (you can see it).
So you have 2 CSPs delivered: one via meta tag and second - via HTTP header. In this case both are applied consequentially and a strictest one does block.
Check web.config file for lines like:
<add name="Content-Security-Policy" value="default-src 'self'" />
<content-Security-Policy enabled="true">
Also check the NWebsec NuGet package settings - it can publish CSP header via web.config file, via middleware or via MVC attributes:
NWebsec.AspNetCore.Mvc package provides configure CSP via MVC attributes.
NWebsec.AspNetCore.Mvc.TagHelpers package includes Tag helpers to manage the script and style 'nonces'.
NWebsec.AspNetCore.Middleware package includes OWIN CSP middleware.
You have to use meta tag or HTTP header to publish Content Security Policy, but not both at the same time.
I've got an internal web application. This is a webforms .net 4.x application. It uses the ajax control toolkit along with the updatepanel. Specifically, it uses the tabcontainer/tabpanels a lot. I had a problem getting the tabcontainer/tabpanels to work until I opened up the csp. I did that several years. I have a content security policy setup in my web.config file:
<add name="Content-Security-Policy" value="style-src 'self' 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval'" />
This csp allows for everything to work. Now, I have two problems:
The security folks have listed the current csp as a low risk security issue and would like me to change it. It's low risk, but I would like to provide some type of solution to this if possible. I've read several posts about how hard it is to get the ACT to work right with CSP, so it may not be possible. I've tried to create a ACT bundle and just send that down, but I get an error message in the Chrome inspector saying that is a 404 iirc. Everything works, but I don't like the 404 error. Removing the bundle in the script manager seems to work and does not create any additional errors. Has anyone else noticed a 404 error in google chrome inspect with an ACT bundle in the script manager?
I have recently had to add two more tabs. These two tabs have an iframe that displays content from another internal website. to get this to work under the tabs, I have to actually remove the csp. I don't think that they will like the removed csp.
I have tried to play with a csp to load some test content from google. Unfortunately, the following csp does not work. I would think it would load from the current local server and a google site. Unfortunately, the content from google.com does not load. Chrome gives me an unhappy face trying to load. Suggestions are appreciated on how to only load content from the local server and a single remote server.
<add name="Content-Security-Policy" value="frame-src 'self' *.google.com; style-src 'self' 'unsafe-inline' 'unsafe-eval' *.google.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.google.com" />
So, the question (thanks pkalkins), how do I add the ability to include an iframe containing content from another internal site so that the iframe correctly displays content within that iframe? I have used the google.com site as just an example that I test with here on my remote system.
Thanks in advance for any thoughts or suggestions. :-)
Wally
Refused to load the script 'https://cdnjs.cloudflare.com/ajax/libs/p5.js/1.1.9/p5.min.js'
because it violates the following Content Security Policy directive: "script-src 'self'
https://cdn.jsdelivr.net/npm/p5#1.1.4/lib/p5.min.js". Note that 'script-src-elem' was not
explicitly set, so 'script-src' is used as a fallback.
I got this error while trying to make some chrome extension right now. I try to use p5.js library. But I still got this error several time. What is the death over here! Could you help me, please
I think the p5.js CDN service is not working well right now I install it manually. And then it works.
https://p5js.org/getstarted/#:~:text=Downloading%20a%20copy%20of%20the%20p5.js%20library
I'm trying to use Meteor from behind a proxy. I've tried setting environment variables for proxy details as the docs but it has not helped.
SET HTTP_PROXY=http://user:password#1.2.3.4:5678
SET HTTPS_PROXY=http://user:password#1.2.3.4:5678
meteor update
Instead I want to bypass the proxy for the certain URLs that Meteor needs. I have identified atmospherejs.com and registry.npmjs.org (not sure if meteor uses this directly but we are also working with node separately).
Are there any other URLs that Meteor will need?
Here are some:
docs.meteor.com
s3-1.amazonaws.com
activity.meteor.com
warehouse.meteor.com
registry.npmjs.org
registry.npmjs.org
packages.meteor.com
I can't imagine that it's a specific domain causing your problem tough.