After entering card details and proceeding for payment, a small blank pop up from stripe appears and i get an error in the console.
Refused to load the image 'https://hooks.stripe.com/img/favicon.png' because it violates the following Content Security Policy directive: "img-src data: https://q.stripe.com".
Here is the screenshot of the error
error
I have also set the content security policies as per stripe but still the same error again and again.
app.post('/payments/create', async (request, response) => {
response.set("Content-Security-Policy", `script-src 'self' https://js.stripe.com https://checkout.stripe.com; style-src 'self' checkout.stripe.com; frame-src 'self' *.stripe.com *.stripe.network; img-src data: 'self' https://*.stripe.com; connect-src 'self' *.stripe.com;`);
const total = request.query.total;
const paymentIntent = await stripe.paymentIntents.create({
amount: total, //subunits of the currency
currency: "usd",
});
response.status(201).send({
clientSecret: paymentIntent.client_secret,
}); // OK and Created something
})
The error says that your img-src directive is "img-src data: https://q.stripe.com" while your policy definition says it is "img-src data: 'self' https://*.stripe.com;". You should check if there are multiple CSPs defined in response headers or meta tags. Content will need to pass all policies, and in this case there is likely another policy causing it to break. You might have tried to implement CSP in another way first and forgot to remove it.
Related
Issue is related to NWebSec content security headers -
If I use more wildcard tags in my NWebSec CSP code then it's working but If I use exact URLs which I needed in my application then is giving an issue in my sign-in page "Post/ applicationurls.com/sigin-oidc" 502 Bad Gateway.
I think this issue is related to response header size in the asp.net core. I've tried a few codes to increase response header size in .net core but nothing helps.
Below is my working code with more wildcard tags - but I need to use some of the URLs exactly and need to add a few more.
internal static class NWebSecExtensions
{
internal static void AddNWebSecSecurity(this IApplicationBuilder app, IConfiguration config)
{
app.UseXXssProtection(options => options.EnabledWithBlockMode());
app.UseXfo(xfo => xfo.SameOrigin());
app.UseRedirectValidation(options =>
{
options.AllowSameHostRedirectsToHttps()
.AllowedDestinations("https://www.google.com/accounts/", config["NWebSec:TestCheckInstanceDomain"]);
}); //Register this earlier if there's middleware that might redirect.
app.UseCsp(options => options
.DefaultSources(s => s.Self())
.ScriptSources(s =>
{
s.Self().UnsafeEval().UnsafeInline()
.CustomSources("https://www.google-analytics.com", "https://www.googletagmanager.com",
"https://xyz.test.net", "https://*.testnetwork.net", "https://xyz.cdntestwork.net");
})
.StyleSources(s =>
{
s.Self().UnsafeInline()
.CustomSources("https://xyz.test.net", "https://*.testnetwork.net");
})
.ImageSources(s =>
{
s.Self().CustomSources("data:", "https:");
})
.ObjectSources(s => s.Self())
.ConnectSources(s =>
{
s.Self()
.CustomSources($"wss://{config["NWebSec:MyTestCAppServiceDomain"]}",
$"https://{config["NWebSec:TestWebStrMediaDomain"]}",
$"https://{config["NWebSec:TestStorageAccountDomain"]}",
"https://www.google-analytics.com", "https://web.mynetwork.com/",
"https://*.testnetwork.com", "https://*.dnstestcrt.net",
"https://*.testnetwork.net", "https://*.oceantest.net");
})
.MediaSources(s =>
{
s.Self()
.CustomSources(
$"https://{config["NWebSec:TestWebStrMediaDomain"]}",
"blob:", "https://*.testnetworkcdn.com", "https://*.dnstestcrt.net",
"https://*.testnetwork.com",
"https://*.elenewtd.net", "https://*.elenewtd.net", "https://*.oceanfms.net",
"https://*.oceantest.net");
})
.FrameSources(s => { s.Self().CustomSources("https://*.testnetwork.net/"); })
.ChildSources(s => { s.Self().CustomSources("blob:"); })
.FontSources(s => { s.Self().CustomSources("https://xyz.test.net", "data:"); }));
}
}
If I add below actually needed tags then it starts giving me 502 Bad Gateways Issue.
Content-security-policy:
default-src https://*.testsrcwo.net 'self';
script-src https://*.testsrcwo.net 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com https://www.googletagmanager.com
https://xyz.test.net https://swebce.zoom.us https://runers.testnetwork.net https://opr.krcdnt.net;
object-src https://*.testsrcwo.net 'self';
style-src https://*.testsrcwo.net 'self' 'unsafe-inline' https://xyz.test.net https://troep.trotr.us https://runers.testnetwork.net;
img-src https://*.testsrcwo.net 'self' data: https://dashboard.mynetwork.org https://www.google-analytics.com https://xyz.test.net
https://web.mynetwork.com https://starttrik.testnetwork.com https://cf-images.tre-tei-1.lean.dnsjunto.net https://runers.testnetwork.net https://*.dnsjunto.net https://plunt.ghandukans.com;
run-src https://*.testsrcwo.net 'self' https://lean-ghan-dukans-treehills-shabs-ams-proxy-func.testwebsites.net https://leantreehillsshabsrun-euno.jumkoo.run.test.net https://shada-leantreehillsshabsrun-euno.jumkoo.run.test.net blob: https://*.testnetworkcdn.com https://*.dnsjunto.net https://*.run.testnetwork.com https://*.elewend.net https://*.elewend.net https://*.treetop.net https://*.oceapto.net https://leantreehillsshabsrun.keydelivery.neartoyou.run.test.net;
frame-src https://*.testsrcwo.net 'self' https://runers.testnetwork.net;
font-src https://*.testsrcwo.net 'self' https://xyz.test.net data:;
connect-src https://*.testsrcwo.net 'self' wss://lean-ghan-dukans-testplt-vart-kaptry.testwebsites.net https://leantreehillsshabsrun.keydelivery.neartoyou.run.test.net https://leantreehillsshabsrun-euno.jumkoo.run.test.net https://leanghandukanstreehillseve.blob.roit.windows.net https://shada-leantreehillsshabsrun-euno.jumkoo.run.test.net https://www.google-analytics.com https://web.mynetwork.com https://edge.api.testnetwork.com https://manifest.lean.dnsjunto.net https://runers.testnetwork.net https://bcbolt446c5271-a.oceapto.net https://lean-ghan-dukans-treehills-shabs-tro-proxy-func.testmywebsites.net;
child-src https://*.testsrcwo.net 'self' blob:; report-uri /WebRreirutie.axd?cspReport=true;
Please find my startup class, program file, and web-config
Startup.cs
ConfigureService Method code -
Configure Method code -
Program.cs
WebConfig
I'm trying to send a POST request from 127.0.0.1:8080 to my express server in localhost:3000/trips
I'm having a lot of problem with the cors configuration
First, this is my method to do the POST request
async modifyTrip() {
let json = {
data: "test",
mezzo: "test",
coordinate: ["test"],
tappe: ["test"],
};
let modifyform = document.getElementById("add-form");
modifyform.onsubmit = async (e) => {
e.preventDefault();
await fetch("http://localhost:3000/trips", {
method: "POST",
headers: {
Accept: "application/json",
"Content-Type": "application/json",
},
body: json,
});
};
}
On the server side if I put cors options at that point returns me that error:
app.use(bodyParser.urlencoded({ extended: false }));
app.use(bodyParser.json());
app.use(
cors({
"Access-Control-Allow-Origin": "*",
"Allow-Methods": "GET, POST, DELETE, FETCH",
})
);
app.use("/user", userRoutes);
app.use("/trips", tripsRoutes);
If I try to change the position the error is different my it always gives me problem
app.use(
cors({
"Access-Control-Allow-Origin": "*",
"Allow-Methods": "GET, POST, DELETE, FETCH",
})
);
app.use(bodyParser.urlencoded({ extended: false }));
app.use(bodyParser.json());
app.use("/user", userRoutes);
app.use("/trips", tripsRoutes);
I don't think the matter is of where I put it, but I can't fix this problem anyway. Maybe I have to change some headers in my client side, but i really can't figure it out
Thank you.
It's a 400 Bad Request error, so look up what that means:
The HyperText Transfer Protocol (HTTP) 400 Bad Request response status code indicates that the server cannot or will not process the request due to something that is perceived to be a client error (for example, malformed request syntax, invalid request message framing, or deceptive request routing).
So something is wrong with the request and the server is complaining (before it gets to the bit of code which would add the CORS response headers). The CORS error is a side-effect, not the main problem.
If you look at the Network tab of your browser's developer tools, you will be able to examine the request.
The body will look something like this:
[object Object]
Now, you said (using a Content-Type header) you were POSTing JSON, but [object Object] is not JSON (or even a usable representation of your data).
You need to pass JSON to body and not an object. Since you are passing an object, it gets stringified using the default JS mechanism (which gives "[object Object]").
Use JSON.stringify(your_object) to convert it to JSON.
I have a Vue frontend, an Auth0 and Fastify backend. CORS is configured as follows:
fastify.register(require('fastify-cors'), {
origin: 'http://localhost:8080',
methods: 'GET,PUT,POST,DELETE,OPTIONS,HEAD',
allowedHeaders: 'Origin, X-Requested-With, Content-Type, Accept',
})
Frontend headers configuration:
this.$auth.getTokenSilently().then(token => {
this.headers = {
Authorization: `Bearer ${token}` // send the access token through the 'Authorization' header
};
The problem is common:
Access to XMLHttpRequest at 'http://127.0.0.1:3000/dir' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
I've read a lot about CORS, know this is a browser side problem (Insomnia sends requests perfectly). Actually, I do not have clear understanding of what else I should allow and how. Basically I need only standart GET, PUT, POST, DELETE requests allowed. Could you please point out the exact configuration problems in my code?
First 401 was caused by OPTIONS request without autentication token. Actually it should be seamlessly processed by a fastify-cors. But due to an incorrect order of initialisation of on-request hooks (first - mine to autenticate, using fastify-auth0-verify, second - implicit hook from fastify-cors), it never invoked. So you need a precise order of hooks explicit and implicit initialization: first - cors, then second - authentication.
The second problem, 401 on the following POST, happened because of incorrect usage of an axios request params on the frontend Vue side. Headers like { Authorization: 'Bearer SomeVeryLongSecretXYZ'}were passed as, for instance, ...post(url, data, this.headers), but there must be {headers : this.headers}.
Final configuration for CORS:
fastify.register(require('fastify-cors'), {
origin: '*',
methods: 'GET,PUT,POST,DELETE,OPTIONS',
})
In one of my projects the csp is defined as
var csp = "default-src 'self'; object-src 'none'; frame-ancestors 'none'; sandbox allow-forms allow-same-origin allow-scripts; base-uri 'self';";
if (!context.HttpContext.Response.Headers.ContainsKey("Content-Security-Policy"))
{
context.HttpContext.Response.Headers.Add("Content-Security-Policy", csp);
}
The issue is that my internal JS is not working. I have included knockout JS and I get an error there.
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-SyLtUpmx0OjAxbTKXy2jd0BL8QnTwNgkVdWgf9/eQio='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Uncaught EvalError: Unable to parse bindings.
Bindings value: if: sessionType() === ''
Message: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self'".
Getting this error in this line
<script type="text/javascript">
var returnUrl = '#Model.ReturnUrl';
$(function () {
$(":input").inputmask();
});
</script>
The <script type="text/javascript">...</script> is an inline script therefore you have got error:
Refused to execute inline script because it violates the following
Content Security Policy directive: "default-src 'self'". Either the
'unsafe-inline' keyword, a hash
('sha256-SyLtUpmx0OjAxbTKXy2jd0BL8QnTwNgkVdWgf9/eQio='), or a nonce
('nonce-...') is required to enable inline execution
You have 3 opts to allow inline script:
to add 'insafe-inline' token into default-src directive (it's severely reduces CSP protection)
to add 'sha256-SyLtUpmx0OjAxbTKXy2jd0BL8QnTwNgkVdWgf9/eQio=' token into default-src directive (although it better to add script-src 'self' 'sha256-SyLtUpmx0OjAxbTKXy2jd0BL8QnTwNgkVdWgf9/eQio='). Negative moment: you have to regenerate a 'hash-value' when you change the script's content.
to add 'nonce-value' into default-src or script-src. Nonce values should be generated fresh on each page loads, therefore it's better to use NWebsec Tag Helpers
The error:
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self'".
means you have use eval(), new Function() or setTimeout()/setInterval() function calls.
In case of eval()/new Function() you have no choice other than add 'unsafe-eval' token into default-src (or script-src if you add it).
In case of setTimeout()/setInterval() - these counted as unsafe eval expressions only if get a function as string parameter. You can use anonymous (or named) function to avoid 'unsafe-eval' usage.
Normally, when I make a jQuery request to a non-local server, it applies Cross-site HTTP request rules and initially sends an OPTIONS request to verify the existence of an endpoint and then it sends the request, i.e.
GET to domain.tld/api/get/user/data/user_id
jQuery works fine, however I would like to use Vue Resource to deal with requests. In my network log, I see only the actual request being made (no OPTIONS request initially), and no data is being received.
Anybody has an idea how to solve this?
Sample Code:
var options = {
headers: {
'Authorization': 'Bearer xxx'
}
};
this.$http.get(config.api.base_url + 'open/cities',[options])
.then(function(response){
console.log('new request');
vm.cities = response;
}, function(error){
console.log('error in .js:');
console.log(error);
});
jquery-request
Solution:
As #Anton mentioned, it's not necessary to have both requests (environment negligible). Not sure what I have changed to make it work, but the request gave me an error. It consisted in setting the headers correctly. Headers should not be passed as options but as a property of http:
this.$http({
root: config.api.base_url + 'open/cities', // url, endpoint
method: 'GET',
headers: {
'Authorization': 'Bearer xxx'
}
}).then(function(response){
console.log('new request');
vm.cities = response;
}, function(error){
console.log('error in .js:');
console.log(error);
});
Thank you guys, it was a team effort :)
Is it a requirement that an additional OPTIONS request is being made? I have created a small (32 LOC) example which works fine and retrieves the data:
https://jsfiddle.net/ct372m7x/2/
As you can see, the data is being loaded from a non-local server. The example is located on jsfiddle.net and the request is made to httpbin.org - this leads to CORS being applied (you can see the Access-Control-Allow-Origin header in the screenshot below).
What you also see is that only the GET request has been executed, no OPTIONS before that.