I am using the following Content Security Policy in Report-Only mode:
Content-Security-Policy-Report-Only "default-src 'self'; report-uri /log_violations"
When I go to a URL on the server with an HTML page containing the following:
<!DOCTYPE html>
<head>
<title>
Test document
</title>
</head>
<html>
<body>
Hello
</body>
</html>
I am seeing the following error message in Firefox 57.0 on line 1:
Content Security Policy: The page’s settings observed the loading of a
resource at self (“default-src http://www3.thestar.com”). A CSP report
is being sent. Source: ;!function(){var t=0,e=function(t,e){ret...
In other browsers, like Edge, Chrome, I haven't seen these errors.
Any thoughts on whether this is a Firefox quirk or something I've set up incorrectly? I'm stumped as to why the policy is rejecting line 1 of every page.
You probably have an extension installed and enabled that is injecting content into the page. Try opening the page in a new Firefox profile without any extensions to see if you see the CSP violation reported.
Firefox is planning to exclude content injected by extensions in CSP checks starting Firefox 58 so this should reduce the noise from extensions doing stuff on a page.
From the Mozilla blog,
Starting with Firefox 58, the CSP of a web page does not apply to
content inserted by an extension. This allows, for example, the
extension to load its own resources into a page.
Related
I am getting intermittent mixed content errors on my https site. The site link is stakeholdermap.com
I have checked Chrome Dev tools >Network tab and I am seeing unsecure urls examples below:
Mixed Content: The page at 'https://www.stakeholdermap.com/stakeholder-analysis.html' was loaded over HTTPS, but requested an insecure plugin data 'http://static.vertamedia.com/static/vpaid-ssp-vast.swf?aid=41476&sid=0&cb=146233.42079096.743365'. This content should also be served over HTTPS. ads?client=ca-pub-3370240294319443&format=300x250&output=html&h=250&slotname=8722343817&adk=5159607…
Mixed Content: The page at 'https://www.stakeholdermap.com/stakeholder-analysis.html' was loaded over HTTPS, but requested an insecure plugin data 'http://ads2.vertamedia.com/vast/vpaid-config/?width=300&height=250&aid=4147…takeholdermap.com&v=2.2.90&t=flash&video_duration=&cb=73026784276589750000'. This content should also be served over HTTPS.
But the adslots are using latest code (//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js)
I am pretty certain these are loaded by Adsense. My question is how can I block this or force it to use https?
Ask the users browser to fetch the secure content, if possible:
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests" />
If the ad is available via https, then it will fetch that version, otherwise, the content will be blocked and another shown in its place. Put the meta in the <head> section of your pages where all your other meta tags are located.
You can find more information here: https://developers.google.com/web/fundamentals/security/prevent-mixed-content/fixing-mixed-content
In Chrome I get the following error messages in the console
[blocked] The page at https://domain.com/home.html ran insecure
content from
http://domain.com/typo3temp/stylesheet_09c1ef800c.css?1345207892.
if I call https://domain.com. The user gets a page without stylesheets and images. What can I do against this?
The files are included like <script type="text/javascript" src="js/lib/jquery-1.5.1.min.js"></script> but I don't want to define the domain.
Should I completely switch to https by setting the base URL with https? Which other possibilites do I have?
I used
config {
baseURL = https://domain.com
}
and adapted all links which had a http in the beginning (otherwise the slider stopped working because Chrome didn't load the other ressources ...). Seems to work now.
When I try to debug my gwt app that's inside an iframe (note that gwt codserv and webserv are all local) I'm having permissions issues. The following errors are thrown:
on Chrome console: "Refused to display document because display
forbidden by X-Frame-Options.";
on Chrome webpage window: "Plugin
failed to connect to Development Mode server at 127.0.0.1:9997 Follow the underlying troubleshooting instructions"
This ONLY happens in Google Chrome, firefox and IE are ok.
I've already searched for simillar problems but all of them are on crossdomain context, and mine is local. Also, tried the proposed solutions but all without success.
Here is an example of my webpage containing my iFrame. I can't debug MyGWT app.
<!doctype html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<iframe src="MyGWT.html?gwt.codesvr=127.0.0.1:9997"></iframe>
</body>
</html>
The page that's being blocked is probably TroubleshootingOOPHM
FYI, this has been fixed in GWT 2.5, which now links to this page rather than trying to display it in an iframe (moreover underneath the error glasspane, which made it hardly readable anyway before Google changed their server settings)
I'm prompting users of IE to install the Chrome Frame add-on. If the user is on IE and doesn't have Chrome Frame installed, they are redirected (server side) to a page with a custom message and the install page in an IFrame:
http://www.google.com/chromeframe/?quickenable=true
After install has completed, Chrome Frame is not loaded in the current tab. Is there a way to force it to be? I've tried including redirect=True but that doesn't work because I have the page in a frame.
You make your pages work with Google Chrome Frame by adding a single tag, like this:
<meta http-equiv="X-UA-Compatible" content="chrome=1">
or by adding an X-UA-Compatible HTTP response header:
X-UA-Compatible: chrome=1
Add the meta tag to the html file which you are loading in the frame and it should initialize the chromeframe.
I am trying a simple test with the html 5 cache.
Here is a simple web page :
<!DOCTYPE html>
<html manifest="test.manifest">
<head>
</head>
<body>
<img src="http://www.somewebsite.com/picture.jpg"/>
</body>
</html>
With the following manifest :
CACHE MANIFEST
#v0.1
NETWORK:
http://www.somewebsite.com/
This work fine, the picture is displayed.
My problem is that I won't be able to know from where the picture will come. Here comes the online whitelist wildcard flag, that is supposed to solve my problem.
But with the manifest :
CACHE MANIFEST
#v0.1
NETWORK:
*
The image is not displayed (tested on safari / safari mobile / firefox).
What is not working ?
Is there another way to turn the online whitelist wildcard flag on ?
Tested in Firefox 3.6.4:
NETWORK:
http://*
Per the docs, when "the online whitelist wildcard flag is open" (i.e., the NETWORK: * format),
Subresources, such as style sheets,
images, etc, would only be cached
using the regular HTTP caching
semantics, however.
which seems to be the "what is not working". To cache subresources in the HTML5 way, the manifest must either list them in a CACHE: section, or use specific "online whitelist namespaces" as you did in your first version.
I wish to use an svg font in a webapp aimed for mobile safari (mobile safari only reads the svg font format for #font-face) Mobile safari also requires the font-ID, which is included at the end of the file name, but included after number sign (#):
font-name.svg#123456789
This is not working in the cache-manifest for the site and, with the limited feedback one gets from mobile safari, I am only guessing that the # is causing the font-id to be read as a comment, and not part of the actual file name.
Is there a way to 'trick' the cache manifest into reading this differently? Perhaps with a wildcard after the SVG? Or an ascii-only trick?