I found that cobalt can only open Youtube page, and can NOT open URLs without Content-Security-Policy setting in the response data or in the html page(eg <meta http-equiv="Content-Security-Policy" content="object-src 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline'">), so is there any CSP config to support that URLs without Content-Security-Policy setting can also be opened?
The Content Security Policy spec:
https://www.w3.org/TR/CSP2/
This is an intentional security feature, because Cobalt is aimed at running applications, not general web browsing. It can be disabled with the command line switch --csp_mode=disable, but this is disabled in gold builds.
The CSP itself only applies to the page associated with the policy. Once you navigate to another page, as long as the navigation is allowed by the current page's policy, the policy will be thrown out and replaced with the next page's policy. But there is no way to use CSP to disable the CSP requirement enforcement.
Related
I am using JQGrid extensively in my code base. Now that I have added Content Security Policy default-src 'self', none of my grids are loading.
If I change it to default-src 'self' 'unsafe-inline', the grids start loading again.
Is there any mechanism by which I can tweak JQGrid to play nice with CSP without adding the unsafe-inline directive?
As in case of Google Chrome browser Google Chrome CSP
There are whitelisting of origins -
Currently, we allow whitelisting origins with the following schemes:
blob, filesystem, https, chrome-extension, and
chrome-extension-resource.
Is there any listing of such origins for Firefox. We are trying to write an add on for Firefox which will need to load as an iframe.
I currently get following CSP error when I am trying to load a frame.html read from my addon XPI resources. Its a frame which then loads the actual frame.
Content Security Policy: The page's settings blocked the loading of a
resource at data:text/html;
iframe with chrome-extensions:// as the path works for Chrome browser nothing like that is available for Firefox. (atleast I am unable to trace such a thing)
Please give us some suggestion if we can do a path to get iframe extension working.
On Firefox data:, blob: and filesystem: are subject to CSP. Use chrome: or resource: instead.
update:
Apparently this approach will not work with the Add-on SDK, probably due to sandbox restrictions.
We have an a HTTPS site that brings up a page from a different site of ours that’s HTTP.
In IE (9), we get the message at the bottom of the page:
“Only secure content is displayed. What’s the risk? [Show all content]”.
When the button is clicked, it closes the lightbox-ish control that's open and returns to the page it was overlaid on.
Does anyone know how to avoid this?
In the HTTP site’s page, one guy here had the idea to add, at the end of On_Load, the following to turn off cross-site scripting protection:
this.Response.Headers.Add("X-XSS-Protection", "0");
Both sites are C# / ASP.NET 4.0.
Thanks in advance!
Add the url to your trusted sites, it's the only way if you don't send all data through https.
Internet Options -> Security -> Trusted Sites -> Sites.
If this is something that needs to be company wide, I would recommend pushing out the rule via a group policy.
Alternatively, allow access the control using https on the other site (if you can) and reference that - the warning will disappear.
The real setting to enable here is to "Display mixed content" for the zone of the site you want. If the site is on your Intranet, you select Intranet zone in the Security settings, then Custom level. If it's an Internet site, you go there and go to Custom level.
There, you should see the "Display mixed content" setting, and simply select "Enable", then "OK" your way out of the dialogs.
Reference: https://www.mydigitallife.net/how-to-disable-only-secure-content-is-displayed-in-ie-always-show-all-mixed-content/
Browser: Firefox 6.0
I've Page A with the following setup to make sure the content is NOT stored in the bfcache of the browser:
1) $(window).unload(function(){});
2) Following HTTP headers:
<meta http-equiv="pragma" content="no-cache" />
<meta http-equiv="expires" content="-1" />
<meta http-equiv="cache-control" content="no-cache"/>
I've also hooked up the events pagehide and pageshow. When I am navigating away from the page, pagehide is invoked with CORRECT value for the event property persisted = false (that is what needed: no persistence in cache!)
After navigating a couple of pages, I've a window.history.go(-2); to go back to Page A. At this point, I want Firefox to poll the server for the updated version instead of displaying from the cache. The pageshow of Page A is invoked with CORRECT value for the event propertypersisted = false (meaning the page is NOT loaded from cache). BUT the page content is not the server data; it is the stale content (same as when navigating away from the page initially)! Fiddler also does not show a new request to server.
Google Chrome also exhibits the same behaviour. IE works as expected (reloads fresh data)!
Any idea what am i missing?
Thanks in advance!
There are multiple caches involved. There's the browser's document cache (bfache), the browser's HTTP cache, and possibly intermediate HTTP caches.
The <meta> tags you show above have absolutely no effect in current Chrome or Firefox. They may have an effect in IE.
So chances are, your page is just being read from the browser's HTTP cache.
If you really want to send no-cache HTTP headers, you should do that. But they need to be actual HTTP headers: as I said above, the <meta> tag "equivalents" do nothing.
And, importantly, any other intermediate caches are not going to be parsing your HTML so might cache things if you don't actually send the right HTTP headers.
If you set Cache-Control: "no-cache, no-store, must-revalidate" to http headers the page won't be cached in back-forward cache.
Firefox also considers event handlers on beforeunload event as a signal to not store page in BFC, but Safari ignores such handlers, so it's better to set correct http headers to indicate the nature of the page content (cacheable or variable)
There are two caches to bear in mind:
The bfcache (back-forwards cache)
The bfcache (in Firefox, Safari and Chrome) stores the page in memory, including any dynamic modifications to the DOM. It is used by Firefox, Safari and Chrome when pressing back. To attempt to ensure that the page is not stored in this cache, you need to run these lines:
window.addEventListener('unload', function(){});
window.addEventListener('beforeunload', function(){});
Note that this seems to work in desktop Firefox and Chrome, but doesn't always work in desktop Safari, or Android Chrome or Android Firefox or iOS Safari.
Note that Webkit documentation calls the bfcache the "Page Cache".
The normal browser cache
Pages are cached in the normal browser cache, unless you set the proper no-store value in the Cache-Control heading. To be extra sure, send this full header:
Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
Firefox, Safari and Chrome will first check the bfcache when pressing the back button. They will then fall back to the normal cache. So you need to both add an event listener to unload, and set this Cache-Control HTTP header. Note that using <meta> instead of the HTTP header may not work.
References:
Article on back/forward cache by Chrome Developer Relations
The answer below does not work any more:
From answer on SO, adding an unload event to window causes the back/forward cache to be cleared.
UPDATE. POSSIBLE SOLUTION:
BFCache can bring surprises to developers, because at least in Firefox when moving back/forward the page does not refresh even if it was told by HTTP headers. So it's better to assume that the page will not refresh.
On the other hand, what is the difference between getting page with outdated data because of BFCache, and finding a tab in your browser that you did not reload for ages?
If you care about those kind of things, write some javascript that checks server for updates and reloads sensitive information. This is a chance to turn your problem into win ).
We are seeing some odd errors when our customers test our ASP.NET web apps. There is a cart counter on the top of every page that tells you how many items are in the shopping cart. She reports that this number is changing as she moves from one page to the next. We cannot recreate this.
Is it possible that her corporate proxy server is caching the whole page and never actually contacting our server? This is a staging site on http, her production site is on https.
Revision: The page gets cached over HTTPS as well. It shows a completely cached version of our shopping cart page. If the user clicks the refresh button they get a current version of the page, but that new version becomes the cached version.
It's certainly possible that an intermediate proxy (corporate or otherwise) is caching your pages. Although I don't understand how that would explain the cart number on the page changing. If you don't want any caching to take place, send the appropriate HTTP headers along with each request you don't want cached:
Cache-Control: private, no-store, max-age=0
Expires: <some date in the past>
Pragma: no-cache
The first line above is for HTTP 1.1 clients, and the second 2 are for HTTP 1.0 clients. Check out section 14.9 of the HTTP 1.1 protocol spec for all the gory details.
There's also a setting in IE that could cause this behavior. Go to "Tools" > "Internet Options". On the "General" tab, click "Settings" under "Browsing History". Make sure "Check for newer versions of stored pages" is set to "Automatically". This is the default value.
I had a user who changed this to "Never" and was wondering why he always saw old content. :)