I set the CSP to allow to connect to google font service as below. On first time load everything works fine (I doubt that SW caching anything) but when I refresh the page I see the error inspite of connect-src explicitly added google font url.
CSP added to index.html
<meta http-equiv="Content-Security-Policy"
content="
default-src 'self' https: fonts.googleapis.com;
font-src 'self' https: fonts.googleapis.com fonts.gstatic.com data:;
style-src 'self' 'unsafe-inline' https: fonts.googleapis.com fonts.gstatic.com data:;
child-src 'self' fonts.googleapis.com;
connect-src 'self' https: fonts.googleapis.com;
object-src 'none';">
ngsw-config:
"assetGroups": [
{
"name": "app",
"installMode": "prefetch",
"resources": {
"files": [
"/favicon.ico",
"/index.html",
"/manifest.webmanifest",
"/*.css",
"/*.js"
],
"urls": [
"https://fonts.googleapis.com/**",
"https://fonts.gstatic.com/**"
]
}
}
ERROR:
Looks like you have add CSP to wrong index.html, not one from angular config.
In you CSP shown default-src 'self' https: fonts.googleapis.com;...connect-src 'self' https: fonts.googleapis.com; but according to console warns the violation occurs for default-src 'self'; and it's used as fallback because of absent connect-src directive.
Related
I am running a VUE 3 CLI project on localhost
There is a remote server I need to call for data. Browsers were blocking this CORS so I had to learn how to set up correct api headers and a proxy in the vue config.
My vue.config.js file contains this:
devServer: {
https: true,
proxy: {
'^/api': {
target: 'https://api.mysite.com/',
ws: true,
changeOrigin: true
}
}
},
This resolved my CORS block from local host to the remote server but caused the problem in the title. It now thinks that the call to the sockjs-node file is cross origin.
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://192.168.29.243:8080/sockjs-node/info?t=1615826901010. (Reason: CORS request did not succeed).
I can't seem to find any reason for this or a solution. Has anyone run into this and knows what to do?
This fixed it for me.
Please check following link: How can I fix these SockJS ssl errors?
// vue.config.js
module.exports = {
devServer: {
proxy: {
"^/api": {
target: "https://localhost:44345",
ws: true,
changeOrigin: true,
},
},
headers: {
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Headers": "Origin, X-Requested-With, Content-Type, Accept",
},
public: "http://localhost:44345",
disableHostCheck: true,
},
};
Issue :
I successfully Login and make a Post Call and receive for following
error after making a cy.request( )POST API call :
I was able to make cy.request( ) get API calls which retured 200 , so API call error seems specific to the above cy.request( ) POST API call
Error:
The response we got was:
Status: 403 - Forbidden
Headers: {
"date": "Thu, 19 Dec 2019 16:10:19 GMT",
"server": "Apache",
"x-frame-options": "SAMEORIGIN, DENY",
Full Error
CypressError: cy.request() failed on:
https://uat1.dns2.merchantportal.eu/MerchantApiWeb/rest/secure/user/financial/preauthorisation
The response we received from your web server was:
403: Forbidden
This was considered a failure because the status code was not '2xx' or '3xx'.
If you do not want status codes to cause failures pass the option: 'failOnStatusCode: false'
The request we sent was:
Method: POST
URL: https://uat1.dns2.merchantportal.eu/MerchantApiWeb/rest/secure/user/financial/preauthorisation
Headers: {
"Connection": "keep-alive",
"user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36",
"accept": "/",
"Cookie": "NSC_JOfmamujd2zndlkdwlzogneusels0bQ=ffffffff09405a8245525d5f4f58455e445a4a42378b; ROUTEID=.1; JSESSIONID=mu_x-VvVK3_rycxkJ9eef9w7lUPzw-SFLqiyXZnd.r5cvap1013.1dc.com.MP.WEB",
"accept-encoding": "gzip, deflate",
"content-type": "application/json",
"content-length": 101
}
Body: {"fromDate":"2019-12-19","toDate":"2019-12-19","pageNumber":1,"sortBy":"preAuthDate","sortOrder":"D"}
The response we got was:
Status: 403 - Forbidden
Headers: {
"date": "Thu, 19 Dec 2019 16:10:19 GMT",
"server": "Apache",
"x-frame-options": "SAMEORIGIN, DENY",
"strict-transport-security": "max-age=15552000; includeSubdomains; preload, max-age=31536000 ; includeSubDomains",
"expires": "0",
"cache-control": "no-cache, no-store, max-age=3600, must-revalidate",
"x-xss-protection": "1; mode=block",
"pragma": "no-cache",
"x-content-type-options": "nosniff",
"content-type": "application/json;charset=ISO-8859-1",
"content-security-policy": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://*.tiqcdn.com https://www.googletagmanager.com https://www.google-analytics.com; connect-src 'self' https://www.google-analytics.com/; img-src 'self' data: https://www.google-analytics.com https:; style-src 'self' 'unsafe-inline' blob:; font-src 'self' blob:; frame-src 'self' data: *; frame-ancestors 'self'; media-src *;",
"x-powered-by": "",
"keep-alive": "timeout=10",
"connection": "Keep-Alive",
"transfer-encoding": "chunked"
}
Body: {
"code": "MPERR08",
"message": "You are not privileged to request this resource.",
"access-denied": true,
"cause": "AUTHORIZATION_FAILURE"
}
Error I Recieved - Click to see
I'm using Nuxt.js framework and my WorkBox config looks like below
workbox: {
workboxURL: 'https://cdn.jsdelivr.net/npm/workbox-sw#4.3.1/build/workbox-sw.min.js',
cacheAssets: false,
offline: false,
runtimeCaching: [
{
urlPattern: '^/$|/(?:about|contact)$',
handler: 'cacheFirst',
strategyOptions: {
cacheName: 'test-cache-v1',
cacheExpiration: {
maxEntries: 5,
maxAgeSeconds: 10
}
}
},
{
urlPattern: '/.*',
handler: 'networkOnly',
},
]
}
Here urlPattern: '^/$|/(?:about|contact)$' suppose to match all 3 requests:
/
/about
/contact
But only /about and /contact is matched and / is being handled by next cache strategy urlPattern: '/.*' which is networkOnly.
Not sure why WorkBox is not able to handle / request in cacheFirst strategy
This what ServiceWork.js file content looks like
workbox.routing.registerRoute(new RegExp('^/$|/(?:about|contact)$'), workbox.strategies.cacheFirst({"cacheName":"test-cache-v1","cacheExpiration":{"maxEntries":5,"maxAgeSeconds":10}}), 'GET')
workbox.routing.registerRoute(new RegExp('/.*'), workbox.strategies.networkOnly({}), 'GET')
WorkBox is running RegExp on event.request.url which returns full URL like http://localhost:3000 instead of relative path.
So wildcard ^/$ was not able to handle the request. I fixed the issue by replacing my RegExp from ^/$ to ^http://localhost:3000[/]?$
I'm trying to enable HTTPS on my AWS EC2 instance that is being deployed using Elastic Beanstalk. The documentation to do this requires you to add this snippet in a directory .ebextensions/https-instance.config in the root directory of your app. I had to replace certificate file contents and private key contents with my certificate and key, respectively. I initially received an incorrect format error so I converted the snippet they provided to JSON and re-uploaded it -
{
"files": {
"/etc/httpd/conf.d/ssl.conf": {
"owner": "root",
"content": "LoadModule ssl_module modules/mod_ssl.so\nListen 443\n<VirtualHost *:443>\n <Proxy *>\n Order deny,allow\n Allow from all\n </Proxy>\n\n SSLEngine on\n SSLCertificateFile \"/etc/pki/tls/certs/server.crt\"\n SSLCertificateKeyFile \"/etc/pki/tls/certs/server.key\"\n SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH\n SSLProtocol All -SSLv2 -SSLv3\n SSLHonorCipherOrder On\n \n Header always set Strict-Transport-Security \"max-age=63072000; includeSubdomains; preload\"\n Header always set X-Frame-Options DENY\n Header always set X-Content-Type-Options nosniff\n \n ProxyPass / http://localhost:8080/ retry=0\n ProxyPassReverse / http://localhost:8080/\n ProxyPreserveHost on\n \n</VirtualHost>\n",
"group": "root",
"mode": "000644"
},
"/etc/pki/tls/certs/server.crt": {
"owner": "root",
"content": "-----BEGIN CERTIFICATE-----\ncertificate file contents\n-----END CERTIFICATE-----\n",
"group": "root",
"mode": "000400"
},
"/etc/pki/tls/certs/server.key": {
"owner": "root",
"content": "-----BEGIN RSA PRIVATE KEY-----\nprivate key contents # See note below.\n-----END RSA PRIVATE KEY-----\n",
"group": "root",
"mode": "000400"
}
},
"container_commands": {
"killhttpd": {
"command": "killall httpd"
},
"waitforhttpddeath": {
"command": "sleep 3"
}
},
"packages": {
"yum": {
"mod_ssl": []
}
}
}
The deployment aborts with the error -
[Instance: i-0x012x0123x012xyz] Command failed on instance. Return code: 1 Output: httpd: no process found. container_command killhttpd in my-app-name/.ebextensions/https-instance.config failed. For more detail, check /var/log/eb-activity.log using console or EB CLI.
I can tell that the error is being caused due to container_commands key which stops httpd after the configuration so that the new https.conf and certificate can be used. It tells me that it's trying to kill httpd but it can't find any such process running. service httpd status shows that httpd.worker (pid 0123) is running and I can also access my app online. /var/log/eb-activity.log also has nothing logged in it.
I've seen a few others post the same problem online but I could not find any solutions to it. Is there something that I'm doing wrong here?
You ebextensions is trying to execute killall httpd, but your process is called httpd.worker.
Change the line in the ebextensions to be killall httpd.worker.
The following API call to RabbitMQ:
http -a USER:PASS localhost:15001/api/queues/
Returns a list of queues:
[
{
...
"messages_unacknowledged_ram": 0,
"name": "foo_queue",
"node": "rabbit#queue-monster-01",
"policy": "",
"state": "running",
"vhost": "/"
},
...
]
Note that the vhost parameter is /.
How do I use a / vhost for the /api/queues/vhost/name call, which returns the details for a specific queue?
I have tried:
localhost:15001/api/queues/\//foo_queue
localhost:15001/api/queues///foo_queue
But both failed with 404 Object Not Found:
URL Encoding did the trick. The URL should be:
localhost:15001/api/queues/%2F/foo_queue
⬆⬆⬆
For the record, I think that REST resources should not be named /, especially not by default.