I am developing a laravel 5.0 project. I don't know when or how this error occurs.
Error parsing header X-XSS-Protection: â1;mode=blockâ: expected 0
or 1 at character position 0. The default protections will be applied.
Specific in Developer > Network
X-XSS-Protection:%E2%80%9C1;mode=block%E2%80%9D
The above error shows up in console. I've read about what this means and what X-XSS-Protection is but i have no idea what should i do to fix it (because i don't even know how this error occurs) . Please feel free ask for code blocks or files and i will provide. From what i understand laravel has it's own default security which are used in http headers but i have never searched about this topic. Is there a specific file where laravel configures the http headers?
Here is my .htaccess file :
<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews
</IfModule>
RewriteEngine On
# Redirect Trailing Slashes...
RewriteRule ^(.*)/$ /$1 [L,R=301]
# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
</IfModule>
EDIT 1 :
(I have never edit this file)
What i found after searching X-XSS-Protection : (look at the last array)
In vendor\symfony\http-foundation\Tests\ResponseHeaderBagTest.php
public function provideAllPreserveCase()
{
return array(
array(
array('fOo' => 'BAR'),
array('fOo' => array('BAR'), 'Cache-Control' => array('no-cache')),
),
array(
array('ETag' => 'xyzzy'),
array('ETag' => array('xyzzy'), 'Cache-Control' => array('private, must-revalidate')),
),
array(
array('Content-MD5' => 'Q2hlY2sgSW50ZWdyaXR5IQ=='),
array('Content-MD5' => array('Q2hlY2sgSW50ZWdyaXR5IQ=='), 'Cache-Control' => array('no-cache')),
),
array(
array('P3P' => 'CP="CAO PSA OUR"'),
array('P3P' => array('CP="CAO PSA OUR"'), 'Cache-Control' => array('no-cache')),
),
array(
array('WWW-Authenticate' => 'Basic realm="WallyWorld"'),
array('WWW-Authenticate' => array('Basic realm="WallyWorld"'), 'Cache-Control' => array('no-cache')),
),
array(
array('X-UA-Compatible' => 'IE=edge,chrome=1'),
array('X-UA-Compatible' => array('IE=edge,chrome=1'), 'Cache-Control' => array('no-cache')),
),
array(
array('X-XSS-Protection' => '1; mode=block'),
array('X-XSS-Protection' => array('1; mode=block'), 'Cache-Control' => array('no-cache')),
),
);
}
Related
I installed a Laravel application on my apache2 server. I installed like an alias.
The address of the server is: 192.168.1.137
The address of Laravel application is : 192.168.1.137/intranet
Here the virtualhost configuration :
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
Alias /intranet "/var/www/html/intranet/public"
<Directory "/var/www/html/intranet/public">
allow from all
order allow,deny
AllowOverride All
</Directory>
It works well.
I have a problem with my storage path. I cannot open a pdf document. When I look with Firefox inspector it gives the path : 192.168.1.137/storage/document.pdf
I cannot open the document by url on the application. If I modify the url manually with Firefox inspector and I add intranet like this 192.168.1.137/intranet/storage/document.pdf
path of url
It works.
I try to add intranet to my config filesystems file, but nothing.
Where I have to modify to obtain the right address ?
Here my configuration file :
/*
|--------------------------------------------------------------------------
| Application Name
|--------------------------------------------------------------------------
|
| This value is the name of your application. This value is used when the
| framework needs to place the application's name in a notification or
| any other location as required by the application or its packages.
*/
'name' => 'Intranet',
/*
|--------------------------------------------------------------------------
| Application Environment
|--------------------------------------------------------------------------
|
| This value determines the "environment" your application is currently
| running in. This may determine how you prefer to configure various
| services your application utilizes. Set this in your ".env" file.
|
*/
'env' => env('APP_ENV', 'APP_DEBUG'),
/*
|--------------------------------------------------------------------------
| Application Debug Mode
|--------------------------------------------------------------------------
|
| When your application is in debug mode, detailed error messages with
| stack traces will be shown on every error that occurs within your
| application. If disabled, a simple generic error page is shown.
|
*/
'debug' => env('APP_DEBUG', true),
/*
|--------------------------------------------------------------------------
| Application URL
|--------------------------------------------------------------------------
|
| This URL is used by the console to properly generate URLs when using
| the Artisan command line tool. You should set this to the root of
| your application so that it is used when running Artisan tasks.
|
*/
'url' => env('APP_URL', 'http://192.168.1.137/intranet'),
/*
Here my filesystems
'disks' => [
'local' => [
'driver' => 'local',
'root' => storage_path('app'),
// 'root' => base_path(),
],
'public' => [
'driver' => 'local',
'root' => storage_path('app/public'),
'url' => env('APP_URL').'/storage',
'visibility' => 'public',
],
'rapports'=>[
'driver' => 'local',
'root' => storage_path('../../../../../mnt/rapports'),
],
],
The path rapports works well.
Thank you for your help
Since your files are located in outside of public folder in storage.If you want to access files public then it should be placed under
storage/app/public/
we can see configuration in fielsystem.php
'public' => [
'driver' => 'local',
'root' => storage_path('app/public'),
'url' => env('APP_URL').'/storage',
'visibility' => 'public',
],
Also make sure to run php artisan storage:link this will create shortcut in storage folder
I succeed to open a pdf document.
Here how :
I changed .env, APP_URL= for http://192.168.1.137/intranet
I had a problem in my view. It was like this :
success: function (data) {
$('#iframe').attr('src', '/storage/' + data)
$('#dlrpt').attr('href', '/download/pdf/' + data)
$('#reportPreview').modal('show')
}
The path '/storage/'+data sent the url at the root of the site it was 192.168.1.137.
But I wanted to have 192.168.1.137/intranet
I changed like this :
In my vue.js data:
config: {!! json_encode(config('app.url')) !!},
Now config return 192.168.1.137/intranet
success: function (data) {
$('#iframe').attr('src', self.config+'/storage/' + data)
$('#dlrpt').attr('href', '/download/pdf/' + data)
$('#reportPreview').modal('show')
}
It work !
It important to have a good configuration in .htaccess on the public folder.
like this :
<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews
</IfModule>
RewriteBase /intranet
RewriteEngine On
# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [L,R=301]
# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
# Handle Authorization Header
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
php_value max_execution_time 300
Thank you for your help.
I am getting this error when I assess an image using html2canvas.
Access to image at 'http://testdomain.com/storage/images/products/user_front.png' from origin 'http://localhost:8080' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Here is my cors config.
return [
'paths' => ['api/*', 'sanctum/csrf-cookie'],
'allowed_methods' => ['*'],
'allowed_origins' => ['*'],
'allowed_origins_patterns' => [],
'allowed_headers' => ['*'],
'exposed_headers' => [],
'max_age' => 0,
'supports_credentials' => false,
];
Here the header, when I access the image.
Any one can help me?
Html to canvas uses element in DOM that's why it's requiring a cors from your public folder but laravel does not support that, it only supports cors with api. You need to change your config file.
If you are using nginx use this:
location /storage/ {
add_header 'Access-Control-Allow-Origin' '*';
}
Apache:
<IfModule mod_headers.c>
<FilesMatch "\.(bmp|cur|gif|ico|jpe?g|png|svgz?|webp|pdf)$">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
</IfModule>
Take note that you need to change the Access-Control-Allow-Origin when deploying to prod to only accept the valid server origin.
I have below two routes
Route::get('register',
array(
'uses' => 'Auth\Register\RegisterController#showRegistrationForm',
'as' => 'showRegistrationForm'
)
);
Route::get('/',
array(
'uses' => 'Auth\Login\LoginController#showLoginForm',
'as' => 'showLoginForm'
)
);
Both routes works perfectly on localhost. Then, I deployed the files on Linode server at path /var/www/html/adminapi2
I again checked above both urls. Login Url(default) works fine(http://50.116.5.82/adminapi2/public/) but url with route: showLoginForm gives 404 error(http://50.116.5.82/adminapi2/public/register)
AM I missing anything?
It seem you are running laravel as subdirectory, to make url rewriting works, you should change public/.htacces file from:
...
RewriteRule ^ index.php [L]
...
to
...
RewriteRule ^ adminapi2/public/index.php [L]
...
Your RewriteRule should configured as subdirectory.
Hope it helps
My model code
public function show_active_cat($limit,$offset) {
$query = $this->db->select()
->from('categories')
->where('status', 1)
->limit($limit, $offset)
->order_by('created', 'DESC')
->get();
return $query->result();
}
public function num_rows() {
$query = $this->db
->select('id,cat_name,parrent_id,status')
->from('categories')
->where('status',1)
->get();
return $query->num_rows();
}
Controller Code
public function categories($page = 'categories') {
if (!file_exists('application/views/public/' . $page . '.php')) {
show_404();
} else {
$this->load->library('pagination');
$config = [
'base_url' => base_url('pages/categories'),
'per_page' => 2,
'total_rows' => $this->categorymodel->num_rows(),
'uri_segment' => 3,
'full_tag_open' => "<ul class='pagination'>",
'full_tag_close' => "</ul>",
'first_tag_open' => '<li>',
'first_tag_close' => '</li>',
'last_tag_open' => '<li>',
'last_tag_close' => '</li>',
'next_tag_open' => '<li>',
'next_tag_close' => '</li>',
'prev_tag_open' => '<li>',
'prev_tag_close' => '</li>',
'num_tag_open' => '<li>',
'num_tag_close' => '</li>',
'cur_tag_open' => "<li class='active'><a>",
'cur_tag_close' => '</a></li>',
];
$this->pagination->initialize($config);
$data['cat_list'] = $this->categorymodel->show_active_cat($config['per_page'], $this->uri->segment(3));
$this->load->view('templates/public-header');
$this->load->view('public/categories',$data);
$this->load->view('templates/public-footer');
}
}
My htaccess
<IfModule authz_core_module>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php/$1 [L]
</IfModule>
Deny from all
The problem is when I try to click a panination link to get the next records then url is: http://192.168.1.66:2020/ci/pages/categories/2
Message:
404 Page Not Found
The page you requested was not found.
Here i found solution when i removed if statement and then its worked fine
`if (!file_exists('application/views/public/' . $page . '.php'))
{
show_404();
}`
just posted this on IRC channel ZFTalk too,
Hope I can get some help on ZF2, ZF2 Album Tutorial, OSX using MAMP. Skeleton framework, homepage is working.
Issue : After completing section : 8.5 Listing albums, you fill up the module/Album/view/album/album/index.phtml with some code, then they ask you to preview the page on http://zf2-tutorial.localhost/album.
I get a 404, The requested URL could not be matched by routing.
I headed to Google for advice. Found a GIT repository with a 'fully working model' of the Tutorial, so i got this to compare my code with. If i set up this as another host I get the same 404 routing message.
After carefully studying the manual, it explicitly states in the start that you will not be able to view anything other than the start/home page if your httpd.conf / AllowOverride is not set to FileInfo.
Decided to scan the whole machine for files called httpd.conf, just for in case the path to the one I changed is not used by MAMP when powering up the server.
So found 3, changed all of them (Although 3 we're found, I believe the correct route is /private/etc) My problem still exists in the code i wrote from the tutorial, as well as the GIT code of the 'working model'.
Has anyone encountered issues with this? found this on stackoverflow Zend Framework 2 .htaccess mamp pro which has similarities to my problem but has not resolved it. Can anyone in here help me?
Other routes taken involve : Checking for spelling mistakes in the code, checking the application.config.php has a route set up. Please advise? :)
Module.php
<?php
namespace Album;
use Album\Model\Album;
use Album\Model\AlbumTable;
use Zend\Db\ResultSet\ResultSet;
use Zend\Db\TableGateway\TableGateway;
class Module
{
public function getAutoloaderConfig()
{
return array(
'Zend\Loader\ClassMapAutoloader' => array(
__DIR__ . '/autoload_classmap.php',
),
'Zend\Loader\StandardAutoloader' => array(
'namespaces' => array(
__NAMESPACE__ => __DIR__ . '/src/' . __NAMESPACE__,
),
),
);
}
public function getConfig()
{
return include __DIR__ . '/config/module.config.php';
}
public function getServiceConfig()
{
return array(
'factories' => array(
'Album\Model\AlbumTable' => function($sm) {
$tableGateway = $sm->get('AlbumTableGateway');
$table = new AlbumTable($tableGateway);
return $table;
},
'AlbumTableGateway' => function ($sm) {
$dbAdapter = $sm->get('Zend\Db\Adapter\Adapter');
$resultSetPrototype = new ResultSet();
$resultSetPrototype->setArrayObjectPrototype(new Album());
return new TableGateway('album', $dbAdapter, null, $resultSetPrototype);
},
),
);
}
}
module.config.php
<?php
return array(
'controllers' => array(
'invokables' => array(
'Album\Controller\Album' => 'Album\Controller\AlbumController',
),
),
'router' => array(
'routes' => array(
'album' => array(
'type' => 'segment',
'options' => array(
'route' => '/album[/][:action][/:id]',
'constraints' => array(
'action' => '[a-zA-Z][a-zA-Z0-9_-]*',
'id' => '[0-9]+',
),
'defaults' => array(
'controller' => 'Album\Controller\Album',
'action' => 'index',
),
),
),
),
),
'view_manager' => array(
'template_path_stack' => array(
'album' => __DIR__ . '/../view',
),
),
);
Resolved this error with help from this thread.
I think, barring any other misconfiguration, the source of this error - for me at least - was where to register the Album module.
The SKELETON Application comes with an Application MODULE. Those are two different things and they have have their own config folders:
config // SKELETON Application config
module/Application/config // Application MODULE config
The module needs to be registered in the Skeleton Application config file provided with the skeleton, namely config/application.config.php and NOT by creating an application.config.php file in the Application Module config, e.g. module/Application/config/application.config.php.
You can solve is by configuring the apache settings in (httpd.conf) change the
"AllowOverride None" to "AllowOverride All".
Such setting permit you to override the config value by .htaccess
Please try this
If you see a standard Apache 404 error, then you need to fix .htaccess usage before continuing. If you’re are using IIS with the URL Rewrite Module, import the following:
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^.*$ index.php [NC,L]
You now have a working skeleton application and we can start adding the specifics for our application. Please let me know if it worked fine from you.