Recently I found out about browser policy package for Meteor from David Weldon (https://dweldon.silvrback.com/browser-policy), which I found from this checklist made by Sacha https://meteorjs.club/MeteorSecurityChecklist.pdf
I use the Google analytics for iron router package (https://github.com/reywood/meteor-iron-router-ga/) as well and I keep getting the following error after trying many different options (I expected BrowserPolicy.content.allowInlineScripts(); to allow this):
Refused to load the script 'data:application/javascript;base64,dmFyIHVyY2hpblRyYWNrZXI9ZnVuY3Rpb24oKXt9…JVcmw6ZnVuY3Rpb24obyl7cmV0dXJuIG87fSxfdHJhY2tFdmVudDpmdW5jdGlvbigpe319fX07' because it violates the following Content Security Policy directive: "script-src 'self' http://*.google-analytics.com https://*.google-analytics.com http://*.googleapis.com https://*.googleapis.com http://*.gstatic.com https://*.gstatic.com http://www.google-analytics.com https://www.google-analytics.com".
anyone can give me more insight in this?
The URL in question is a Data URL, so one way to solve this is to add the following to your policy:
BrowserPolicy.content.allowDataUrlForAll()
That's a pretty broad rule though. If you want to narrow it just to scripts you could do:
BrowserPolicy.content.allowScriptDataUrl()
Related
I'm trying to connect to play.google.com in my website iframe and I'm receiving this error:
Refused to frame 'https://play.google.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors https://play.google.com".
Am I missing some thing??
Here is the code:
Here is the error:
Can I do something so that I can work?
The code reference which I took from google is here.
I was trying to render the iframe after using Android Management API. What I was expecting is when I open the url directly in new tab then it's working but when I try to open in iframe it's not working. It should work in iframe!
This problem can occur when you render the Managed Configurations iframe over an ‘http’ (unsecure) connection. I suggest you embed your iframe with an ‘https’ (secure) connection to prevent cross-site scripting attacks. I tested this locally, and swapping to ‘https’ resolved the issue in my tests.
I'm receiving the error:
Refused to frame 'https://oauth.telegram.org/' because it violates the following Content Security Policy directive: "frame-src https://outh.telegram.org"
I have set my content security policy rules correctly I believe. Why is it still blocked?
Ok, I found a solution.
I have added *.telegram.org rule and it worked. I don't know why the previous rule was not accurate but anyway the second try worked.
I'm using Uploadcare to upload images and files in my application and am also using the browser-policy package for content security. I noticed recently that the camera upload feature was not working and couldn't figure out how to allow it.
Refused to load media from 'blob:http%3A//localhost%3A3000/e44633a7-227f-40e2-a3bd-9efd211f677d' because it violates the following Content Security Policy directive: "default-src 'self' (My Allowed Origins ...) ". Note that 'media-src' was not explicitly set, so 'default-src' is used as a fallback.
It seems the only way I've been able to get this to work is by using:
BrowserPolicy.content.allowOriginForAll('blob:');
Is there a better way? It looks like I'm getting an 'unsafe-eval' blob: warning using the current method. Things I've tried already:
BrowserPolicy.content.allowDataUrlForAll();
BrowserPolicy.content.allowBlobDataUrl(); Not valid
BrowserPolicy.content.allowOriginForAll('blob:http://localhost3000*');
BrowserPolicy.content.allowOriginForAll('http://localhost3000*');
We use this policy in our package:
BrowserPolicy.content.allowImageOrigin("blob:");
var constructedCsp = BrowserPolicy.content._constructCsp();
BrowserPolicy.content.setPolicy(constructedCsp +" media-src blob:;");
If you just want to plug and play it's here: https://github.com/smalljoys/meteor-uploadcare
Hello Apigee Support team and fellow devs with questions and answers,
thanks for any support on this. this is more a confirmation than a question. when you do a raise error on apigee with FaultResponse/Set as seen here http://apigee.com/docs/ja/api-services/reference/raise-fault-policy you override the entire headers killing in the process the cors headers.
is there a way to maintain the cors headers on the raise error? or you have to manually add them?
Marco
create a javascript policy where you store the headers in a different variable, the set them in the RaiseError policy.
The script will look something like...
context.setVariable("myVariable", context.getVariable("request.header.{name}"));
Then in the RaiseFault use {myVariable} to place the value in the header.
Please provide examples of your source code if you need a more accurate answer.
SOme of my clients from the UK are not able to see a module of mine which use the Twitter api.
WHen ilogin remotely and check the errors , i get the following.
XMLHttpRequest cannot load http://api.getmytweets.co.uk/?screenname=philipbeel&limit=5&undefined=undefined. Origin http://plugins.theodin.co.uk is not allowed by Access-Control-Allow-Origin.
Accoring to another related question on stackoverflow i can resolve this by adding a HTTP response header to allow Access-Control-Allow-Origin.
HOW can i do this???
I found a workaround to this. Infact a solution. The new twitter API 1.1 uses a Oauth plugin. So there is a PHP code which i got from https://github.com/abraham/twitteroauth and entered the keys i got by registering an application on twitter and then i used the json generated by the php and formatted it using jquery using another javascript...
This is the solution i got from http://www.webdevdoor.com/php/authenticating-twitter-feed-timeline-oauth/
Thanks a lot TOM