<add name="Content-Security-Policy" value="default-src 'self' '*';
script-src 'self' https://tagmanager.google.com/ https://www.googletagmanager.com/ https://use.fontawesome.com;
style-src 'self' https://tagmanager.google.com/ https://fonts.googleapis.com/ https://use.fontawesome.com;
img-src 'self' https://ssl.gstatic.com/;
font-src 'self' https://use.fontawesome.com"/>
Above are the CSP i have used to my site but its not working for me.
Can any once pls help on this
its showing lot of errors in console
It sounds like your header is not formatted correctly. The script and style resource get blocked because you didn't enable unsafe-inline code.
Have you tried to specify 'unsafe-inline' for script-src and style-src?
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="script-src 'self' 'unsafe-inline' https://tagmanager.google.com/ https://www.googletagmanager.com/ https://use.fontawesome.com;style-src 'self' 'unsafe-inline' https://tagmanager.google.com/ https://fonts.googleapis.com/ https://use.fontawesome.com;img-src 'self' https://ssl.gstatic.com/; font-src 'self' https://use.fontawesome.com;" />
</customHeaders>
</httpProtocol>
Related
Cors issue specifically in Internet Explorer only when
calling API from ajax call.
1)Request header content-type was not present in the Access-Control-Allow-
Headers list
2)XMLHttpRequest: Network Error 0x80070005, Access is denied.
I tried by followings
xhrFields: {
withCredentials: true
}
also by setting
...
crossDomain: true
...
headers: {
'Access-Control-Allow-Origin': '*'
},
Ajax call
var url = "https://dev-connectivity.dummylink";
var data = JSON.stringify({
"lang": "en",
"ClientId": "asdfasf3452345c42352345c",
"CountryCode": "34"
});
$.ajax({
url: url,
type: 'POST',
contentType: 'application/json; charset=utf-8',
headers: {
'Access-Control-Allow-Origin': '*' },
data: data,
success: function (data) {
alert("tets");
},
error: function (error) {
alert("error");
}
});
//My api Webconfig code
<httpProtocol>
<customHeaders>
<remove name="Access-Control-Allow-Origin" />
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Methods" value="*" />
<add name="Access-Control-Allow-Headers" value="*" />
</customHeaders>
</httpProtocol>
// also Enabling Cors in startup
services.AddCors(o => o.AddPolicy("CorsPolicy", builder =>
{
builder.AllowAnyMethod()
.AllowAnyHeader();
}));
app.UseCors("CorsPolicy");
IE doesn't accept Content-Type header if you have provided * in you web.config file so to fix this issue, you need to manually add Content-Type header in Access-Control-Allow-Headers list inside your web.config file.
<customHeaders>
<remove name="Access-Control-Allow-Origin" />
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Headers" value="Content-Type, Any-Other-Header" />
</customHeaders>
I am used to working with Apache or NGINX, but a new client has its website on a Microsoft IIS server that makes use of web.config where he would like to add caching.
I normally use the following setup:
### Begin Caching Performance ###
# Use UTF-8 encoding for anything served text/plain or text/html
AddDefaultCharset UTF-8
# Force UTF-8 for a number of file formats
<IfModule mod_mime.c>
AddCharset UTF-8 .atom .css .js .json .rss .vtt .xml
</IfModule>
# FileETag None is not enough for every server.
<IfModule mod_headers.c>
Header unset ETag
</IfModule>
# Since we’re sending far-future expires, we don’t need ETags for static content.
FileETag None
<IfModule mod_alias.c>
<FilesMatch "\.(html|htm|rtf|rtx|txt|xsd|xsl|xml)$">
<IfModule mod_headers.c>
Header unset Pragma
Header append Cache-Control "public"
Header unset Last-Modified
</IfModule>
</FilesMatch>
<FilesMatch "\.(css|htc|js|asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|json|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|otf|odb|odc|odf|odg|odp|ods|odt|ogg|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|swf|tar|tif|tiff|ttf|ttc|wav|wma|wri|xla|xls|xlsx|xlt|xlw|zip)$">
<IfModule mod_headers.c>
Header unset Pragma
Header append Cache-Control "public"
</IfModule>
</FilesMatch>
</IfModule>
# Gzip Compression
<IfModule mod_deflate.c>
# Force compression for mangled headers.
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
# Don’t compress images and other uncompressible content
SetEnvIfNoCase Request_URI \
\.(?:gif|jpe?g|png|rar|zip|exe|flv|mov|wma|mp3|avi|swf|mp?g|mp4|webm|webp|pdf)$ no-gzip dont-vary
</IfModule>
</IfModule>
# Compress all output labeled with one of the following MIME-types
<IfModule mod_filter.c>
AddOutputFilterByType DEFLATE "application/atom+xml" \
"application/javascript" \
"application/json" \
"application/ld+json" \
"application/manifest+json" \
"application/rdf+xml" \
"application/rss+xml" \
"application/schema+json" \
"application/vnd.geo+json" \
"application/vnd.ms-fontobject" \
"application/x-font-ttf" \
"application/x-javascript" \
"application/x-web-app-manifest+json" \
"application/xhtml+xml" \
"application/xml" \
"font/eot" \
"font/opentype" \
"image/bmp" \
"image/svg+xml" \
"image/vnd.microsoft.icon" \
"image/x-icon" \
"text/cache-manifest" \
"text/css" \
"text/html" \
"text/javascript" \
"text/plain" \
"text/vcard" \
"text/vnd.rim.location.xloc" \
"text/vtt" \
"text/x-component" \
"text/x-cross-domain-policy" \
"text/xml"
</IfModule>
<IfModule mod_headers.c>
Header append Vary: Accept-Encoding
</IfModule>
</IfModule>
<IfModule mod_mime.c>
AddType text/html .html_gzip
AddEncoding gzip .html_gzip
</IfModule>
<IfModule mod_setenvif.c>
SetEnvIfNoCase Request_URI \.html_gzip$ no-gzip
</IfModule>
# Expires headers
<IfModule mod_expires.c>
ExpiresActive on
ExpiresDefault "access plus 1 month"
# cache.appcache needs re-requests in FF 3.6
ExpiresByType text/cache-manifest "access plus 0 seconds"
# CSS
ExpiresByType text/css "access plus 1 year"
# Data interchange
ExpiresByType application/json "access plus 0 seconds"
ExpiresByType application/xml "access plus 0 seconds"
ExpiresByType text/xml "access plus 0 seconds"
# Favicon (cannot be renamed!)
ExpiresByType image/x-icon "access plus 1 week"
# HTML components (HTCs)
ExpiresByType text/x-component "access plus 1 month"
# HTML
ExpiresByType text/html "access plus 0 seconds"
# JavaScript
ExpiresByType application/javascript "access plus 1 year"
# Manifest files
ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
ExpiresByType text/cache-manifest "access plus 0 seconds"
# Media
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType video/mp4 "access plus 1 month"
ExpiresByType audio/ogg "access plus 1 month"
ExpiresByType video/ogg "access plus 1 month"
ExpiresByType video/webm "access plus 1 month"
# Web feeds
ExpiresByType application/atom+xml "access plus 1 hour"
ExpiresByType application/rss+xml "access plus 1 hour"
# Web fonts
ExpiresByType application/font-woff "access plus 1 month"
ExpiresByType application/font-woff2 "access plus 1 month"
ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
ExpiresByType application/x-font-ttf "access plus 1 month"
ExpiresByType font/opentype "access plus 1 month"
ExpiresByType image/svg+xml "access plus 1 month"
</IfModule>
# Send CORS headers if browsers request them; enabled by default for images.
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
# mod_headers
<FilesMatch "\.(gif|png|jpe?g|svg|svgz|ico|webp)$">
SetEnvIf Origin ":" IS_CORS
Header set Access-Control-Allow-Origin "*" env=IS_CORS
</FilesMatch>
</IfModule>
</IfModule>
# Webfont access
<IfModule mod_headers.c>
<FilesMatch "\.(tt[cf]|otf|eot|woff|woff2|font.css|css|js)$">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
</IfModule>
### End Caching Performance ###
So this or at least some parts to GZIP and Expiration Headers I would like to add to this website to make it more performant. Does anyone know how I would be able to convert or at least point me in the right direction to convert the above performance and caching code to Microsoft IIS's web.config?
Thanks in advance for more information!
In the end I have configured the web.config like this, the reason I am doing it directly via the web.config is that the client does not have access to the IIS control panel nor does the host company want to provide it.
This is the code I eventually came up with:
<!-- General Optimisation-->
<directoryBrowse enabled="false"/>
<!-- Security Headers -->
<httpProtocol>
<customHeaders>
<add name="Security-By" value="Sandhills Studio"/>
<add name="Content-Security-Policy" value="img-src 'self' https: data: blob:; font-src 'self' https: data:;"/>
<add name="X-Frame-Options" value="SAMEORIGIN"/>
<add name="X-XSS-Protection" value="1; mode=block"/>
<add name="Referrer-Policy" value="no-referrer-when-downgrade"/>
<add name="Expect-CT" value="max-age=86400,enforce"/>
<add name="Feature-Policy" value="fullscreen *;camera 'none';microphone 'none'"/>
<add name="X-Content-Type-Options" value="nosniff"/>
<add name="Strict-Transport-Security" value="max-age=15552000; includeSubDomains; preload"/>
<!--Remove Headers-->
<remove name="X-Powered-By"/>
<remove name="X-Powered-By-Plesk"/>
<remove name="Pragma"/>
<remove name="ETag"/>
</customHeaders>
</httpProtocol>
<!-- GZip static file content -->
<httpCompression directory="%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files" minFileSizeForComp="512">
<scheme name="gzip" dll="%Windir%\system32\inetsrv\gzip.dll" staticCompressionLevel="10"/>
<dynamicTypes>
<add mimeType="text/*" enabled="true"/>
<add mimeType="message/*" enabled="true"/>
<add mimeType="application/javascript" enabled="true"/>
<add mimeType="application/json" enabled="true"/>
<add mimeType="image/svg+xml" enabled="true"/>
<add mimeType="application/font-woff" enabled="true"/>
<add mimeType="application/x-font-ttf" enabled="true"/>
<add mimeType="application/octet-stream" enabled="true"/>
<add mimeType="*/*" enabled="false"/>
</dynamicTypes>
<staticTypes>
<add mimeType="text/*" enabled="true"/>
<add mimeType="message/*" enabled="true"/>
<add mimeType="application/atom+xml" enabled="true"/>
<add mimeType="application/javascript" enabled="true"/>
<add mimeType="application/json" enabled="true"/>
<add mimeType="application/ld+json" enabled="true"/>
<add mimeType="application/manifest+json" enabled="true"/>
<add mimeType="application/rdf+xml" enabled="true"/>
<add mimeType="application/rss+xml" enabled="true"/>
<add mimeType="application/schema+json" enabled="true"/>
<add mimeType="application/vnd.geo+json" enabled="true"/>
<add mimeType="application/vnd.ms-fontobject" enabled="true"/>
<add mimeType="application/x-font-ttf" enabled="true"/>
<add mimeType="application/x-javascript" enabled="true"/>
<add mimeType="application/x-web-app-manifest+json" enabled="true"/>
<add mimeType="application/xhtml+xml" enabled="true"/>
<add mimeType="application/xaml+xml" enabled="true"/>
<add mimeType="application/xml" enabled="true"/>
<add mimeType="application/font-woff" enabled="true"/>
<add mimeType="application/x-font-ttf" enabled="true"/>
<add mimeType="application/octet-stream" enabled="true"/>
<add mimeType="font/eot" enabled="true"/>
<add mimeType="font/opentype" enabled="true"/>
<add mimeType="image/bmp" enabled="true"/>
<add mimeType="image/svg+xml" enabled="true"/>
<add mimeType="image/vnd.microsoft.icon" enabled="true"/>
<add mimeType="image/x-icon" enabled="true"/>
<add mimeType="*/*" enabled="false"/>
</staticTypes>
</httpCompression>
<urlCompression doStaticCompression="true" doDynamicCompression="true"/>
<!-- Clinet Cache Control -->
<staticContent>
<!-- Set expire headers to 30 days for static content-->
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="30.00:00:00" setEtag="false"/>
<!-- use utf-8 encoding for anything served text/plain or text/html -->
<remove fileExtension=".air"/>
<mimeMap fileExtension=".air" mimeType="application/vnd.adobe.air-application-installer-package+zip"/>
<remove fileExtension=".css"/>
<mimeMap fileExtension=".css" mimeType="text/css"/>
<remove fileExtension=".js"/>
<mimeMap fileExtension=".js" mimeType="text/javascript"/>
<remove fileExtension=".json"/>
<mimeMap fileExtension=".json" mimeType="application/json"/>
<remove fileExtension=".rss"/>
<mimeMap fileExtension=".rss" mimeType="application/rss+xml; charset=UTF-8"/>
<remove fileExtension=".html"/>
<mimeMap fileExtension=".html" mimeType="text/html; charset=UTF-8"/>
<remove fileExtension=".xml"/>
<mimeMap fileExtension=".xml" mimeType="application/xml; charset=UTF-8"/>
<!-- HTML5 Audio/Video mime types-->
<remove fileExtension=".mp3"/>
<mimeMap fileExtension=".mp3" mimeType="audio/mpeg"/>
<remove fileExtension=".mp4"/>
<mimeMap fileExtension=".mp4" mimeType="video/mp4"/>
<remove fileExtension=".ogg"/>
<mimeMap fileExtension=".ogg" mimeType="audio/ogg"/>
<remove fileExtension=".ogv"/>
<mimeMap fileExtension=".ogv" mimeType="video/ogg"/>
<remove fileExtension=".webm"/>
<mimeMap fileExtension=".webm" mimeType="video/webm"/>
<!-- Proper svg serving. Required for svg webfonts on iPad -->
<remove fileExtension=".svg"/>
<mimeMap fileExtension=".svg" mimeType="image/svg+xml"/>
<remove fileExtension=".svgz"/>
<mimeMap fileExtension=".svgz" mimeType="image/svg+xml"/>
<!-- Remove default IIS mime type for .eot which is application/octet-stream -->
<remove fileExtension=".eot"/>
<mimeMap fileExtension=".eot" mimeType="application/vnd.ms-fontobject"/>
<remove fileExtension=".ttf"/>
<mimeMap fileExtension=".ttf" mimeType="application/x-font-ttf"/>
<remove fileExtension=".ttc"/>
<mimeMap fileExtension=".ttc" mimeType="application/x-font-ttf"/>
<remove fileExtension=".otf"/>
<mimeMap fileExtension=".otf" mimeType="font/opentype"/>
<remove fileExtension=".woff"/>
<mimeMap fileExtension=".woff" mimeType="application/x-font-woff"/>
<remove fileExtension=".woff2"/>
<mimeMap fileExtension=".woff2" mimeType="application/x-font-woff2"/>
<remove fileExtension=".less"/>
<mimeMap fileExtension=".less" mimeType="text/css"/>
<remove fileExtension=".crx"/>
<mimeMap fileExtension=".crx" mimeType="application/x-chrome-extension"/>
<remove fileExtension=".xpi"/>
<mimeMap fileExtension=".xpi" mimeType="application/x-xpinstall"/>
<remove fileExtension=".safariextz"/>
<mimeMap fileExtension=".safariextz" mimeType="application/octet-stream"/>
<!-- Flash Video mime types-->
<remove fileExtension=".flv"/>
<mimeMap fileExtension=".flv" mimeType="video/x-flv"/>
<remove fileExtension=".f4v"/>
<mimeMap fileExtension=".f4v" mimeType="video/mp4"/>
<!-- Assorted types -->
<remove fileExtension=".ico"/>
<mimeMap fileExtension=".ico" mimeType="image/x-icon"/>
<remove fileExtension=".webp"/>
<mimeMap fileExtension=".webp" mimeType="image/webp"/>
<remove fileExtension=".htc"/>
<mimeMap fileExtension=".htc" mimeType="text/x-component"/>
<remove fileExtension=".vcf"/>
<mimeMap fileExtension=".vcf" mimeType="text/x-vcard"/>
<remove fileExtension=".torrent"/>
<mimeMap fileExtension=".torrent" mimeType="application/x-bittorrent"/>
<remove fileExtension=".cur"/>
<mimeMap fileExtension=".cur" mimeType="image/x-icon"/>
<remove fileExtension=".webapp"/>
<mimeMap fileExtension=".webapp" mimeType="application/x-web-app-manifest+json; charset=UTF-8"/>
</staticContent>
Sadly SVG isn't being GZipped, even though listed is on a lower level that this has to be included as it seems IIS doesn't recognise this mime type by default.
If anyone has any suggestions, feel free to let me know!
I've seen many posts about implementing cordova whitelist plugin but after a full week of testing i still haven't spotted what's my mistake.
This ajax call throws these alerts:
xhr {"readystate":0,"status":0,"statustext":"error"}.
status "error"
error ""
$.ajax({
url: 'http://www.example.com/my_file.php',
data: {type: 'test', code: '11'},
method: "GET",
dataType: "json",
timeout: 5000,
success: function (data) {
alert('done '+JSON.stringify(data));
},
error: function (xhr, status, error) {
alert('xhr '+JSON.stringify(xhr));
alert('status'+JSON.stringify(status));
alert('error '+JSON.stringify(error));
}
});
I updated my phonegap build app with the new cordova whitelist implementation adding this to the meta:
<meta http-equiv="Content-Security-Policy" content="default-src data: gap: https://ssl.gstatic.com 'unsafe-eval' *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://www.example.com; connect-src 'self' http://www.example.com">
this to the config.xml:
<gap:plugin name="cordova-plugin-whitelist" source="npm"/>
<allow-navigation href="*" />
<allow-intent href="*" />
<access origin="*" />
and this in the js before ajax calls:
$.support.cors=true;
I'm using all the wildcards at the moment for the testing, i'll change later. This is the server php file i'm calling:
<?php
header("Access-Control-Allow-Origin: *");
header('Content-Type: application/json');
$data = json_encode(array($_GET));
echo $data;
?>
Phonegap build version cli-5.2.0
Android 4.1.1
any help will be appreciated
Try this in your config.xml
<access origin="*"/>
<access origin="tel:*" launch-external="yes"/>
<allow-navigation href="*"/>
<allow-navigation href="http://*/*"/>
<allow-navigation href="https://*/*"/>
<allow-navigation href="data:*"/>
<allow-intent href="*"/>
<access origin="*"/>
I have a Cordova application in which the first page is a login that does an Ajax request to an external server.
I have added Content-Policy-Security meta tag as follows:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src: 'self' 'unsafe-inline' 'unsafe-eval'>
The Login function gets called and is accessed but the $.ajax function seems to be completely ignored.
Before the function is called I've set
$.support.cors = true;
In my config.xml file I have the following
<feature name="Whitelist">
<param name="android-package" value="org.apache.cordova.whitelist.WhitelistPlugin" />
</feature>
<access origin="*" subdomains="true" />
<allow-navigation href="*" />
<access origin="http://*.nutshellapps.co.uk" />
<allow-navigation href="http://*.nutshellapps.co.uk" />
<allow-intent href="http://*/*" />
<allow-intent href="https://*/*" />
I have added all of the above as a precautionary measure.
The nutshellapps.co.uk sub domain is what people will be logging in to with their credentials. So I have added the http://*.nutshellapps.co.uk to the access origin.
Is my meta tag correct?
I have a mixture of both inline styles and js, and css/js files containing code.
This worked on the previous version of Cordova that I used (3.5.0), but now this is causing major errors. If i run the application on the browser, it works fine, so I obviously know its the whitelist plugin/a cross domain issue.
Anyone else had this problem?
My ajax call is below
$.ajax({
url: serviceURL + "Json/Authentication/login",
type: "GET",
data: {'data':JSON.stringify(loginData)},
dataType: "jsonp",
crossDomain: true,
success: function(data) {
console.log(data);
},
error: function(jqXmlHttpRequest, textStatus, errorThrown) {
console.log('error');
});
The content security policy meta tag that you posted seems to be malformed:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src: 'self' 'unsafe-inline' 'unsafe-eval'>
There is no closing ".
For Cordova, you also want to have the gap: protocol set and https://ssl.gstatic.com for Android, so I would suggest trying:
<meta http-equiv="Content-Security-Policy" content="default-src * data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *;">
You could also add connect-src in there if you want to specify different connect hosts versus your default-src.
A blog post that discusses these issues can be found here.
I managed to solve this by adding the following to the top of my index.html
<meta http-equiv="Content-Security-Policy" content="default-src * 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *; connect-src *">
I realise this isn't exactly safe, but I cannot get anything else to work.
Also, I made sure my WhitelistPlugin was loaded as the app started up in my config.xml
<feature name="Whitelist">
<param name="android-package" value="org.apache.cordova.whitelist.WhitelistPlugin" />
<param name="onload" value="true" />
</feature>
Using :
PGB cli-5.2.0
cordova-plugin-whitelist (i've tried both https://build.phonegap.com/plugins/4178 and plugins/3401 )
Refering to ( https://github.com/lukesmith123/whitelist-2/blob/18a8ce4/README.md ) i added <allow-navigation href="*" /> , <allow-intent href="*" />, <access origin="*" />
My app is using an ajax request to get data from http that has "Access-Control-Allow-Origin", "*".
But still get: Error Failed to load resource: the server responded with a status of 404, yet on localhost it works just fine.
What could i be missing?
Finally got it working.
I put this CSR metta tag in the html <head>
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src * 'unsafe-inline'; script-src * 'unsafe-inline'; media-src *">
And put this cordova-plugin-whitelist in the config.xml
<gap:plugin name="cordova-plugin-whitelist" source="npm" />
<allow-navigation href="http://*/*" />
<allow-intent href="https://*/*" />
Phew!!!