after upgrade to ELK 8.2.2 I can not access KIBANA from Chrome ( Chrome is up to dateVersion 105.0.5195.102 (Official Build) (64-bit) ) , it is showing me the message: "Please, upgrade your browser" , anybody has an idea how to solve this?
( I dont have this problem from Edge from same computer ... )
Kibana shows this message if a browser doesn't support content-security-policy 305.
Do you have a proxy in front of Kibana that could affect set CSP headers?
Do you have any error messages in the browser console? Try opening your browser's dev tools and report what you see. In the normal case with Chrome you should see:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-dfwkrmf3eoeeUSOe5V/dede2c+yeadce32Oi/3fqhGsU7BE='), or a nonce ('nonce-...') is required to enable inline execution.
Related
I have a local web server application (self signed certificate) that has stopped working in firefox (both windows and linux). It does not set any secure cookies. The following test code only sets cookie test2. The application behaves fine in chrome and edge with all cookies being set and has previously worked in firefox. My searches have not turned up anything, other than an issue marked as fixed bugzilla 1618113. Setting an exception for the ip address to allow cookies does not fix this.
Further checking on an older platform shows that the secure cookie is set correctly using tornado 3.2.2.0 and python 3.4.2.
settings_ssl = {
"cookie_secret": cookie_secret,
"login_url": "/login",
"static_path": "/var/www",
"template_path": "/home/pi/py/web",
"default_handler_class": ErrorHandler,
"default_handler_args": dict(status_code=404),
}
self.set_secure_cookie("test1","cookie_secure")
self.set_cookie("test2","cookie_insecure")
Any help gratefully received.
Images added in edit:
Cookies set in Firefox
Cookies et in Chrome by same code
Thanks to bigpangl. I can no longer see the comments we both posted between Aug 12 and yesterday, however checking the POST data led me to discover that, on firefox, the expiry time of the cookie appears to be set based on the time of the server. It appears to be calculated based on the time of the browsing computer when using chrome.
My local server time was 61 days in the past, so the default expires_days value of 30 in tornado meant that the cookie expired in the past and was not stored on firefox.
I'm trying to run a test that involves iframes with firefox. The test works with chrome but not with firefox. It seems that when I get the iframe and subsequently try to find the body the body is returned as undefined.
Timed out retrying: Expected to find element: undefined, but never found it.
cy.get('iframe').then(($iframe) => {
const $body = $iframe.contents().find('body');
cy.wrap($body)
^
The html looks the same for firefox as it does for chrome. Does anyone know what the underlying issue is for that?
The most likely cause is the same origin policy.
In a nutshell, if the page loaded inside the iframe comes from a different domain than the parent page, then your javascript will not be allowed to access the DOM within the iframe.
The reason it is working for you on Chrome is likely because you have used this setting in your cypress.json config file to disable the same origin policy in Chrome:
"chromeWebSecurity": false
As of this writing (Nov 2020), Firefox sadly does not have an equivalent way to disable the same origin policy for testing purposes. The bug report is here.
The spring security (4.0.1.Release) set the HSTS host by default for https protocol and you can see Strict-Transport-Security: max-age=31536000 ; in the response header (I used Firefox>Web Development>Network ).
But when I look at firefox console I see an error which says: The site specified an invalid Strict-Transport-Security header.
I also set the hsts header manually in spring config as :
<headers>
<hsts />
</headers>
The same response header is generated and the FireFox show error again.
According to the https://developer.mozilla.org/docs/Security/HTTP_Strict_Transport_Security the header must be correct !
Any comments ?!
I found it was a bug in firefox as mentioned in The site specified an invalid Strict-Transport-Security header - firebug.
The self-signed certificate seems to generate this issue.
Also refer to: https://jira.spring.io/browse/SEC-3021
Try this, so I solved a similar problem:
You could enter about:config into the firefox address bar (confirm the info message in case it shows up) and search for the preference named security.enterprise_roots.enabled double-click it and change its value to true and restart firefox.
HELP! - I am trying to take a PayPal Payments Pro (Magento 1.8.1) API live and I am getting the following error:
exception 'Exception' with message 'PayPal NVP CURL connection error #35:
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure'
in <my_root_folders>/app/code/core/Mage/Paypal/Model/Api/Nvp.php:986
In the payment_paypal_direct.log file I have the following for every error:
2014-11-08T02:12:36+00:00 DEBUG (7): Array
(
[url] => https://api-3t.sandbox.paypal.com/nvp
[DoDirectPayment] => Array
(
No matter how I set the various flags for sandbox mode, my errors all show the sandbox URL for the API. I have even double checked the paypal/wpp/sandbox_flag in the core_config table in the db and it is flipping from 0 to 1 when I change the configuration in Magento's admin.
Has anyone experienced this persistent sandbox URL?
Sandbox Mode = OFF
SSL Verification = Disabled (have tried it enabled too, no difference)
all caching is disabled (I clear cache often just in case)
I reindex entire site frequently
There were two issues effecting my website:
Our server was not configured in response to the POODLE vulnerability and PayPal was rejecting the server connection.
Sandbox setting was enabled for a child "Configuration Scope" and edits made to the "Default Config" (the parent/master config) were being overridden.
Hopefully this may help someone.
In addition to the above answer you may configure your server and disable SSLv3 by editing you Apache's httpd.conf and adding the following code:
SSLHonorCipherOrder On
SSLProtocol -All +TLSv1
You may also do this via WHM if you have a VPS or Dedicated Server:
Go to Service Configuration -> Apache Configuration -> Include Editor -> Pre Main Include
and add the above two lines.
need some advice/help here.
I just started using the Recaptcha library of ASP.NET from this link
I've followed the simple guide on that page and it worked well with localhost deployment and development.
However, after I moved the same simple page with Recaptcha to my company's server to test the page out, I hit the below exception when trying to validate the recaptcha word.
The operation has timed out
I suspect it has something to do with SSL but my company's website
that I browse, isn't using https, it is just http. I have tried both
methods, having the recaptcha to set OverrideSecureMode to "true" - it
didn't work, set it to false, it didn't work as well (such as below)
<recaptcha:RecaptchaControl
ID="recaptchaControl1" runat="server"
OverrideSecureMode="True"
PublicKey="My_Public_Key"
PrivateKey="My_Private_Key"
/>
My code behind, I'm just using a simple button to invoke and display a
text which work on localhost in Visual Studio:-
if (Page.IsValid)
{
// do the stuff
}
else
// show the error message from recaptcha
What can I do to fix this issue?? Please help.
Sounds like a problem with firewall settings on your company servers. reCAPTCHA requires port 80 outbound (not inbound) to Google servers.