I have a meta tag with the following directive inside of it:
<meta http-equiv="Content-Security-Policy" content="base-uri 'self'; script-src 'self' 'sha256-s5EeESrvuQPpk2bpz5I3zn/R8Au2DYB1Z+YUH9p0fUE=' 'sha256-PYYfGnkbZ44B9ZBpgv8NbP3MXT560LMfrDSas2BveJo=';">
I then have 2 inline scripts further down the page, each which should match one of the generated shas in the policy.
In Chrome and Firefox, I get no complaints and my scripts run as expected.
In Safari Version 11.0.3 (13604.5.6), I get the following error:
Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy
and I am confused as to why!
Unfortunately, I am unable to produce a minimum reproducible repo with the issue inside of it - smaller examples work in Safari for me, so it leads me to believe it's to do with something specific in my app, possibly related to the second thing I have tried below.
Any help would be much appreciated!
Things I have tried:
Are hashes supported?
According to this Stack Overflow post and the Safari release notes, CSP 2.0 which supports hashes was implemented in Safari 10
Correct charset?
Previously, I was seeing issues because I was calculating the hashes based on a UTF-8 charset, but was outputting the JS to the browser without a charset meta tag in place. Special characters in my JS were being mangled and were causing differences in the shas when the browser tried calculating them.
I don't believe this is affecting me now since Chrome and Firefox see no issues, but maybe I'm wrong here?
unsafe-inline for Safari, and then allow hashes to override that in Chrome and Firefox?
According to the CSP spec, unsafe-inline is ignored if a hash or nonce is present. Safari 11 also adheres to this, so adding the unsafe-inline keyword has no effect
Turns out this was a charset issue.
I managed to get a minimal reproducible issue (after some trial and error, and a lot of luck!) and found that one of my characters had a different sha before and after it was rendered in Safari.
Before it was rendered in Safari, the character was the following:
After Safari had rendered the character, it was the following (even in the source of the code):
Strangely, Chrome and Firefox both don't have this issue, so it either must be Safari normalizing the character after it has rendered, or a difference in when the sha256 hashes are calculated between the browsers.
The solution was to turn off character compression in UglifyJS so that the character stays as \uF900 instead of being compressed to the single character in the picture above.
I achieved this with the following option in my webpack.config.js file:
new UglifyJsPlugin({
uglifyOptions: {
output: {
// necessary to stop the minification of escaped unicode sequences into their actual chars.
// some unicode breaks CSP checks in safari
ascii_only: true,
},
},
}),
I have reported this to Apple to see if they will consider fixing this.
Another solution would be to make sure the strings in your script are normalized. This can be achieved in JavaScript using String.normalize.
Normalization ensures each Unicode character is represented in its canonical (NFC) form, which seems to make the CSP hash comparison in Safari work. So if you're dealing with any kind of text which could be using accents, non-Latin scripts etc., it's a good idea to normalize the strings.
Related
Note: Before asking i searched some on embedding but couldn't get exactly what i wanted.
I have a resume file in the pdf format that i would like to display in my website without storing anywhere like google or other but on my own. I have static website [which i made using Jekyll] lets say https://www.example.com and what i actually need is to display my resume accessible in the following link https://www.example.com/resume
Some of them have long permalinks and i actually hate them. (Just saying)
Upload the PDF into the website's / or assets/ directory.
To make a link for HTML:
CV
To make a link for Markdown:
[CV](<PATH>/cv.pdf)
On Chrome, this has been around for a long time and plagues webdevs to this day. There seem to be no plans to change that anytime soon because that's just the way it was built. Chrome behaves slightly different when not online, so offline/local-testing will not always produce expected result.
My answer to you, for this question, is a suggestion. In order to make it cross-browser compatible, your mode of implementation should be:
Modal or,
Lightbox
Whether or not you are using a SSG should not matter here. Look for a bootstrap or material implementation.
On the client-side, it is possible with extension. I reckon this isn't helpful to you; but I'm including this information for future readers.
We are testing the Imageresizer.net and have found that the Preset Plugin seems to only work with width and height parameters and completely ignores the mode parameter i.e. mode=crop.
Is this a bug or simply not supported.
Many thanks
It is supported, but know that the presets settings and defaults values must be valid command/querystrings. Spaces or typos in the command string will cause that command (and potentially the rest) not to function.
I have a XML String with in the <xml> tags in a .jsp file and I am trying to load that xml using xmldoc.Load(document.all("Info")) and it is giving an error
Invalid procedure call or argument
but everything works in Ie9. When I inspect the document.all("Info") it says
Object UnknownHTMLElement in IE 10 and Object in IE9.
here is the code snippet which I used
var xmldoc=new ActiveXObject("MSXML2.DOMDocument.3.0");
boolXMLLoaded=xmldoc.load (document.all("UserInfo"))
<xml id=UserInfo>`
<?xml version='1.0'?><RESPONSES UserName=" DOUGLAS ................
</xml>
Any help is greatly appreciated..
The reason your code doesn't work in newer IE versions is because you're using obsolete (very very obsolete) code. You need to update to modern web standards if you expect modern browsers (including IE10) to work.
Two issues are obvious immediately:
document.all has been deprecated for years; you shouldn't be using it -- it is non-standard and only still exists to allow backward-compatibility with ancient versions of IE (eg IE5). Modern IE versions won't like it, and it definitely doesn't work on browsers other an IE.
In most cases, if you're trying to reference an element by ID (as in this case), you should use document.getElementById() instead.
Further info from Mozilla Developer Network.
new ActiveXObject("MSXML2.DOMDocument.3.0") is also non-standard and deprecated, and also shouldn't be used in modern browsers. Again, it is IE-specific, and was replaced from IE7 onward with the web standards alternative.
You should replace it with document.implementation.createHTMLDocument();. See also the anwsers here.
If you need to support IE6 or earlier then you can detect whether the browser supports the standard syntax and provide a fall back to the old ActiveX control only for old IE versions.
Given that the tiny bit of code you've shown us is using two obvious and well known features that are so badly out-of-date, I would expect to see more problems of a similar nature if we were to see more of your code. Because of this, I would recommend posting some of your code on SO's sister site https://codereview.stackexchange.com/ to get some additional feedback on how you can improve it.
Hope that helps.
var xmldoc= new ActiveXObject("Microsoft.XMLDOM");
replace this in place of
var xmldoc=new ActiveXObject("MSXML2.DOMDocument.3.0");
and try it again
When I use form helper with GET action, the resulting url shows utf8=✓.
It was caused by rails adding a hidden input utf8. My question is is it possible to remove this?
Why do you want to remove that field? According to this Rails Guides article it's quite useful and helps to overcome issues with some browsers (IE, I believe).
The first input element with name utf8 enforces browsers to properly
respect your form’s character encoding and is generated for all forms
whether their actions are “GET” or “POST”.
See this answer for a nice explanation about why you might need that parameter (previously snowman character was used instead of check mark).
In Safari & Webkit, using only border-radius seems to work without adding the prefix -webkit- to it. Is it okay to leave -webkit- prefix for border-radius?
You miss the point of validation. You validate to avoid errors! These include: unsafe browser extensions, hacks, ie-hacks, and actual errors. By no means should you validate to make your code less cross-browser functional.
You should be aware there are such things as expected errors, and even valid code works with those. Browser extensions like -moz-, -webkit-, and -o- are expected errors. All browsers are designed to drop unknown rules. This is how CSS allows for backwards compatibility. A CSS2 supporting browser will drop the CSS3 border-radius rule. Being valid or invalid doesn't have anything to do with it, and by no means will any browser just break because of it (fortunately for us the idea of turning CSS into XML was squashed and never saw the light of day). Opera will drop -moz- rules and Firefox will drop -o- rules, this is not a error. This is expected behavior:
An initial dash or underscore is guaranteed never to be used in a property or keyword by any current or future level of CSS. Thus typical CSS implementations may not recognize such properties and may ignore them according to the rules for handling parsing errors. However, because the initial dash or underscore is part of the grammar, CSS 2.1 implementers should always be able to use a CSS-conforming parser, whether or not they support any vendor-specific extensions.
The w3c even defines how to write these "Vendor-specific extensions". The following are the current extensions well known ones:
-ms-, mso- Microsoft
-moz- Mozilla
-o-, -xv- Opera Software
-webkit- Apple
-khtml- KDE
There are also some you might have never even heard of:
-atsc- Advanced Television Standards Committee
-wap- The WAP Forum
Browsers implement draft-stage or partial implementations (ie. browser supports X, Y but not Z) of CSS rules, as extensions. This way they prevent any change in the spec from breaking previous versions of the browser. There have been cases where browsers have gone gun happy and implemented them as non-extensions, and the usual result has always been said browser has shot themselves in the foot, things like: "browser XXX version YYY has bad implementation of [...]". Most notably IE stands at the no.1 spot on this, but other browsers too have successfully managed to shoot themselves in the foot. When a draft becomes standard and the browser fully (or sufficiently) implements the spec, a rule is created with out the -xxx- prefix.
In recent years, all major browsers have adopted this as a de facto standard.
How and when to use -xxx- browser extensions? As usual the best practice is to design using only standards compliant code in the most advanced browser you have at your disposal then add all the safe extensions. Out of the extensions use the ones based on w3c standards or current working drafts. Don't use dropped standards/drafts or browser wannabe-standards (ie. some of the old Firefox ones). Also avoid any sort of tinkering rules unless it has a stable fallback.
In the case of the border-radius rule you have a stable fallback.
How to keep both form and function? In my opinion most people are not bothered by the "ohmygosh it's not valid" but rather the fact they are forced to write multiple rules for the same line. A simple solution to this is to use a template system. There are quite a few out there for CSS, as the problem of keeping your code DRY is a persistent one.
The are many many many different implementations out there. The basic idea though is to solve the problem using a mixin (ie. function):
=border-radius(!radius)
-moz-border-radius= !radius;
-webkit-border-radius= !radius;
-khtml-border-radius= !radius;
border-radius= !radius;
We can now write this everywhere:
.stuff
+border-radius(15px);
This code is much more flexible then just writing border-radius: 15px and hoping for the best. It's also maintainable (what no element should have more then 10px border radius? no problem).
You may run into css validation errors by doing so. - prefixed properties are regarded as optional extenstions, and thus have a lesser likelihood of causing problems.
I would suggest you keep the -webkit just incase, some browsers (IE) don't play nice when HTML/CSS don't validate. This is known as quirks mode.
border-radius supports safari 5 and later. -webkit-border-radius supports safari 3 and later.
So if you wish to have support for safari 3+ you have to use -webkit-border-radius