Loading failed for the with source
“blob:https://connect.squareup.com/2d9347c7-e067-4ca1-9aaf-7ce2c40aec44”.
frame.html:1
Content Security Policy: The page’s settings blocked the loading of a
resource at
blob:https://connect.squareup.com/2d9347c7-e067-4ca1-9aaf-7ce2c40aec44
(“script-src 'unsafe-inline' https://browser.sentry-cdn.com”).
When will the Square developers please update their CSP policy and address other pending issues?
Related
I am using this firefox addon to run javascript on sites to tweak how they work for me:
https://addons.mozilla.org/en-US/firefox/addon/codeinjector
Unfortunately on twitter I get this error:
Content Security Policy: The page's settings blocked the loading of a resource at inline ("script-src").
Is there a way I can override this in firefox settings?
Content Security Policy is a mechanism which allow a web server to specify, via HTTP headers, which source of content (scripts, images, ...) are considered safe.
As your scripts are not part of the content security policy, they are blocked by the browser, which is the intended behavior.
You can either:
Use a Firefox plugin, such as Modify Header Value, to dynamically add your script locations in the CSP rules coming from the HTTP headers.
Use the same plugin to completely remove the CSP headers. But this is means you will not be protected by CSP when browsing Twitter. This is not safe.
You can also totally disable CSP rules by disabling security.csp.enable in the about:config panel, but this is really not safe and I don't recommend it.
I am developing a page and for some reason I started getting this errors on our test server (replaced its hostname for security reasons):
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). injectGlobalHook.js:808:49
Content Security Policy: The page’s settings blocked the loading of a resource at https://example.com/admin/assets/demo/default/base/scripts.bundle.js (“script-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at https://example.com/admin/runtime.4cbfbfa49b193f847ed1.js (“script-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at https://example.com/admin/polyfills.7e64f3b1273a474a8867.js (“script-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at https://example.com/admin/scripts.9ad8122b74233091de3d.js (“script-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at https://example.com/admin/main.53084d308f02a83449d8.js (“script-src”).
The problem is that this errors happen only to me, only on firefox and only when not using incognito.
I also don't have any CSP configuration in the project.
I assume the reason is that at some point there were some CSP rules on that server and they got cached.
How can I debug the reason why I am getting those errors and where can I find the cached CSP rules?
edit:
Forgot to mention, this errors are not specific to angular.
They appear on all scripts loaded from that domain including angular page, swagger api-doc and Symfony debugger.
I just used the angular one as example.
Content Security Policy is blocking download of a blob (csv) in an iframe on Firefox only, this works fine in Chrome... Not sure what I'm doing wrong. I've renamed the domains to make it easier to understand the parent child frame relationship.
This is the error:
Content Security Policy: The page’s settings blocked the loading of a
resource at
blob:https://mysubdomain-prod.mychilddomain.net/4663b181-76a0-dd4b-a5b2-7bbb65fd9f38
(“child-src https://mysubdomain-prod.mychilddomain.net
https://*.myparent.net”)
Firefox 54.0 on Sierra
Any ideas?
We are working with REST APIs of Yammer and sometimes we are getting below exceptions and not able to complete requests.
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api.yammer.com/api/v1/users/followed_by/XXX.json?&_=XXX. This can be fixed by moving the resource to the same domain or enabling CORS.
we added web url to javascript origins too. It is observed in IE and Firefox too.
#Yammer team: can you please check. Thanks.
We recently started using Amazon CloudFront as CDN for images and I noticed that when I'm trying to share it via Pinterest Pin It button, there is this error in the console.
[Error] [Report Only] Refused to load the image
'https://d9hblenkye2332.cloudfront.net/image.jpg' because it violates
the following Content Security Policy directive: "default-src 'self'
*.pinterest.com *.pinimg.com *.google.com connect.facebook.net *.google-analytics.com *.facebook.com www.googleadservices.com googleads.g.doubleclick.net 'unsafe-inline' 'unsafe-eval'". Note that
'img-src' was not explicitly set, so 'default-src' is used as a
fallback.
After doing some research, it seems that this is related to Content Security (http://content-security-policy.com), but I'm not sure what has to be done, especially when there is no setting for this in the CDN. Has anyone else run into this issue?
What is your origin server ? If this is S3 bucket, you might want to take a look at the CORS policy for this. Typical causes for such problems are the CORS. The settings for CORS is not done on the CDN itself, but on the orgin server behind this (if it is S3, then in the bucket CORS policy)
Some info is here:
Enabling Cross-Origin Resource Sharing - Amazon Simple Storage Service : http://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html