Disable Content Security Policy after a page has loaded - xmlhttprequest

I've got a JavaScript bookmarklet that prompts for a bookmark name, then using XMLHttpRequest, POSTs the name and current page URL to a Java servlet running in Tomcat on localhost. The servlet stores the name and URL in a DB. This works fine for most webpages, but fails if the page that's currently loaded has added Content Security Policy "connect-src" restrictions.
Here's the error: Refused to connect to 'http://localhost:8080/MyServlet' because it violates the following Content Security Policy directive: "connect-src 'self'
I obviously don't want to disable CSP completely. And since I won't know if I want to bookmark the page until it's fully loaded, anything that tinkers with CSP in the response headers or meta tags is doing the work too soon.
Is there some way I can tell the browser to ignore the "connect-src" restriction for just my localhost case, or disable/enable it on either side of my XMLHttpRequest POST?
I'm in Chrome "90.0.4430.72 (Official Build) (64-bit)".

Related

Content Security Policy Using Chrome and iframes

I have a web page that contains an iframe. The iframe is loaded with a URL call to the same server as the page. However, I get this, because I am apparently using a different port, 81:
Refused to frame 'http://my-same-server:81/' because it violates the following Content Security Policy directive: "frame-src 'self' https://*".
I realize this is a Content Security Policy issue for newer Chrome browser versions, and know that I need to change an Apache header, but am not sure to what I would change it to allow the iframe to properly load. The URL cannot use HTTPS, otherwise there are no special conditions. Any help would be grand. Thank you.

docfx menu missing "Articles", "Api Documentation" when hosted from filesystem but show up on localhost:8080

When I run docfx docfx.json --serve and go to localhost:8080, I see two items on the top menu: "Articles" and "Api Documentation". When I navigate in the filesystem to _site\ and click on index.html to open it in Chrome, these menu items are missing. How can I make sure the menu is properly set when I run it as a static site?
I need to be able to package the html files and send them to people for them to view locally without them having to download the repo and install docFX.
Reason: The page needs extra JS files to the navigation bar, but it is blocked by Chrome. You can see these errors in Chrome console (F12):
docfx.vendor.js:4 Access to XMLHttpRequest at 'file:///C:/git/docfx-seed/_site/toc.html' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-extension, https.
send # docfx.vendor.js:4
docfx.vendor.js:4 Access to XMLHttpRequest at 'file:///C:/git/docfx-seed/_site/logo.svg' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-extension, https.
Solution: Use template statictoc, which already embedded all the required parts into HTML file:
docfx docfx.json -t statictoc

Referrer and origin preflight request headers in Safari are not changing when user navigates

I have two web pages hosted on a.example.com and b.example. Each web page is including a script with a <script> tag, hosted on another domain and served with correct CORS headers.
At a certain point, user navigates from a.example.com to b.example.com.
Safari has here a strange behavior: the referrer and origin headers in preflight request are filled with a.example.com, making the server sending a bad value in Access-Control-Allow-Origin (and so the script can't be executed).
Is there a way to force Safari browser to send correct origin header in that kind of scenario ?
Does the cache policy for the script include Vary: Origin?
Respectively is there actually a second request after navigating to b.example.com?
If not, there is a chance that Safari is actually serving the script from cache - despite the Access-Control-Allow-Origin policy forbidding it to access the resource. Which is a conforming behavior, if the cache policy isn't configured correctly.
It seemed to be indeed a Safari bug.
The issue is not reproductible on Safari 10.0. It repro only on Safari 9.1.1 / 9.1.3.

“The site uses SSL, but Google Chrome has detected insecure content on the page.”

I have just set up SSL on my site https://helloacm.com and the home page is OK but this URL https://helloacm.com/milestones/ browsing in Chrome shows “The site uses SSL, but Google Chrome has detected insecure content on the page.”
I have googled a lot and almost every article says that I should change all http to https for images, css and links.. but I have viewed the source code and found out there are not references to http://helloacm.com any more.. so I don't get it , why this url still shows error.
Look in the console. For me, it says:
Mixed Content: The page at 'https://helloacm.com/milestones/' was loaded over HTTPS, but contains a form whose 'action' attribute is
'http://www.google.co.uk/'. This form should not submit data to
insecure endpoints.
Mixed Content: The page at 'https://helloacm.com/milestones/' was loaded over HTTPS, but requested an insecure image
'http://uploadbeta.com/_s/upload/2014/09/04/1137292dd6fbe2b75f1373cb0e3c7a1c.jpg.jpg'.
This content should also be served over HTTPS.
Mixed Content: The page at 'https://helloacm.com/milestones/' was loaded over HTTPS, but requested an insecure image
'http://uploadbeta.com/_s/upload/2014/09/26/eb174fb4bab9f8cba5ef25fb0321234f.jpg'.
This content should also be served over HTTPS.
Mixed Content: The page at 'https://helloacm.com/milestones/' was loaded over HTTPS, but contains a form whose 'action' attribute is
'http://www.google.com/'. This form should not submit data to insecure
endpoints.
Simply fix the errors here, and that warning will go away. Also, regarding the second error: why are you requesting a .jpg.jpg? For me that simply reduces the quality. Just change that to a .jpg.
Just wanted to throw in another answer here for those of you who have tried everything and are still getting this error message.
With some hosts, like WP Engine, where you have yourwebsite.com but then another version of your site like yourinstall.wpengine.com (MediaTemple has something like this, and probably lots of other hosts), and especially if you built / developed the site at that temporary URL, and then set things up to forward the install to your actual URL...do a check in your database, because depending on how the forwarding works at the server level, you might see https://yourwebsite.com/my-image.png and be baffled, but in the database the actual image being served is still from the temporary domain.
Had me baffled forever!
You must set the "$config_location_base" as https://yoursite.com directive in your config.

SSL certificate warning in asp site

I have an ASP web site that give a warning to visitors with red x (in chrome) and FireFox not verified when they try to login. see the picture
Please advise what it means and what I should do
thanks
When a page is loaded via an HTTPS URL, the browser security model states that all resources referenced by that page should also be HTTPS URLs. Check your page for references to JavaScript, CSS, JPGs, etc. All of them should be using HTTPS when the main page is loaded by HTTPS.
If you have JavaScript that is dynamically loading content with XHR, you need to make sure the URLs you load match the scheme (HTTP or HTTPS) of the main page. This is particularly important for JavaScript that is intended to be reused on multiple HTML pages, some which are loaded via HTTP and some with are loaded via HTTPS.