Seems like Safari has a very strong restriction on CSP. For example, on GitHub, most of the userscripts and extension doesn't work because of that.
I got a such error from the console.
[Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy. (pulls, line 0)
How can I stop CSP check in Safari?
Related
I've got a JavaScript bookmarklet that prompts for a bookmark name, then using XMLHttpRequest, POSTs the name and current page URL to a Java servlet running in Tomcat on localhost. The servlet stores the name and URL in a DB. This works fine for most webpages, but fails if the page that's currently loaded has added Content Security Policy "connect-src" restrictions.
Here's the error: Refused to connect to 'http://localhost:8080/MyServlet' because it violates the following Content Security Policy directive: "connect-src 'self'
I obviously don't want to disable CSP completely. And since I won't know if I want to bookmark the page until it's fully loaded, anything that tinkers with CSP in the response headers or meta tags is doing the work too soon.
Is there some way I can tell the browser to ignore the "connect-src" restriction for just my localhost case, or disable/enable it on either side of my XMLHttpRequest POST?
I'm in Chrome "90.0.4430.72 (Official Build) (64-bit)".
Our application was working just fine, but recent changes in Safari caused our application to break.
Safari 13.1 starts blocking applications embedded in Shopify using an iframe.
The error it throws is:
refused to load https://xxdddddd.com/admin/auth/login because it does not appear in the frame-ancestor directive of content security policy.
We tried all sorts of content security policy and chrome and Firefox works just fine but safari always breaks,
We removed that header altogether.
We even added:
header("Content-Security-Policy: frame-ancestors * 'unsafe-inline' 'unsafe-eval' img-src * data:");
header("Sec-Fetch-Dest: iframe");
header("Sec-Fetch-Mode: navigate");
header("Sec-Fetch-Site: cross-site");
We tried all sorts of combinations, but it failed every time in Safari. I can find that several of other applications work just fine in embedded mode in Shopify and Safari 13.1, so it definitely means it is possible.
One thing I noticed is that the URL needs to be changed post authorization and in our cast it is not changing as Safari blocks, but in other applications it changes the URL in the browser. However I found nothing different in their code using view-source. I tried to replicate all headers as well. They are giving, but nothing worked,
Your CSP frame-ancestors * 'unsafe-inline' 'unsafe-eval' img-src * data: is completely wrong:
directives blocks should be comma-separated
the frame-ancestors directive does not supports 'unsafe-inline' and 'unsafe-eval' tokens,
Correct syntax CSP should look like frame-ancestors *; img-src * data:;
But the paradox is that this wrong CSP does allow frame-ancestors from any sources. After removing all unsupported sources, the effective CSP is frame-ancestors * data: in your case.
In the error:
refused to load https://xxdddddd.com/admin/auth/login because it does not appear in the frame-ancestor directive of content security policy.
confuses two things:
phrase in the frame-ancestor directive contains wrong directive name (s is omitted at the end of directive name). Is this a real Safari browser error?
the /admin/auth/ part - is this really public accessible URL? Or does this error appear in the administrator script, which could have other CSP rules?
You say in Chrome and Firefox all worked fine, but frame-ancestors * 'unsafe-inline' 'unsafe-eval' img-src * data: rules disallow images loading from any sources.
So it's possible you are editing one CSP header, but the app really have another. If you are familiar with the Safari browser console, you could check real CSP HTTP header delivered to the app's page.
Anyway, here you could test does Safari 13.1 support * in frame-ancestors (I can't do that due to Safari browser absence). It will exclude a case of a current version browser bug.
I have a web page that contains an iframe. The iframe is loaded with a URL call to the same server as the page. However, I get this, because I am apparently using a different port, 81:
Refused to frame 'http://my-same-server:81/' because it violates the following Content Security Policy directive: "frame-src 'self' https://*".
I realize this is a Content Security Policy issue for newer Chrome browser versions, and know that I need to change an Apache header, but am not sure to what I would change it to allow the iframe to properly load. The URL cannot use HTTPS, otherwise there are no special conditions. Any help would be grand. Thank you.
So I implemented CSP for my web app and it works perfectly fine in Chrome. All inline scripts with nonce are executed; and the ones without it are not executed.
In Safari however, this is the message I see in the console:
The source list for Content Security Policy directive 'script-src'
contains an invalid source:
''nonce-fbe23fb21d40c38e8df7c0a16357dd3ec4be86ca233cb41206ac5f897cf9a103''.
It will be ignored.
Header:
Content-Security-Policy script-src 'nonce-cb28e5c8a2b833169bb8d1fa686f659fed9b3bf8ea52b86916bcaf20a04b3209' 'self'
None of the inline scripts are executed , even the ones with nonce.
Safari does not yet support nonces (please bug your local webkit representative to support this) but Firefox and Chrome have implemented the standard behavior which is backwards compatible. Namely, if a nonce is present then 'unsafe-inline' is ignored.
Send both 'unsafe-inline' and your nonce and you will get the desired behavior. Safari will complain about the "unknown source value" but it will work as intended.
See http://www.w3.org/TR/CSP2/#directive-script-src
According to this documentation I should be able to include <script src="https://sandbox.google.com/checkout/inapp/lib/buy.js"></script> in html of my packaged app, but I received an error:
Refused to load the script
'https://sandbox.google.com/checkout/inapp/lib/buy.js' because it
violates the following Content Security Policy directive: "default-src
'self' chrome-extension-resource:". Note that 'script-src' was not
explicitly set, so 'default-src' is used as a fallback.
Also I've tried to attach buy.js (which I just copied from mentioned url) but it also produces an error in buy.js:
Refused to frame
'https://checkout.google.com/inapp/frontend/app/payments.html?formFactor=DES…extension://ihligbifffjddjffdiapccakkdglodcj&rti=i:48847aba&rt=o:-519cd794'
because it violates the following Content Security Policy directive:
"frame-src 'self' data: chrome-extension-resource:".
What is the problem here?
You're doing it wrong. This buy.js is a simple cross-app messaging script which talks to internal Google In-App Application inside Chrome.
You must package the buy.js library with your app, and load the library from its location in your package.
Check this for more info