Helllo,
Recently I got this error in console:
The XSS Auditor refused to execute a script in because its source
code was found within the request. The auditor was enabled because the
server did not send an 'X-XSS-Protection' header.
I was reading the questions here telling about getting the same response. But I dont think it is my issue. Here is what I got:
Admin panel -> Edit product (example.com/admin/produkty/upravit/10)
text inputs
textareas + ckeditor
ckfinder
After submitting the form (form action: example.com/admin/produkty/upravit/10)
I put everything into DB and then do redirect to (example.com/admin/produkty/zobrazit)
I dont see any similarities between the asked questions here.
Whats more I get it only at few products. Some are working OK some are not but there is no or any other html tags.
Whats even MORE I got it at dev subdomain and it is working ok there. So I am out of ideas....
Just one more test: It is doing only in safari. Working on chrome without problems
You need to set the X-Xss-Protection header to specify how the auditor should behave. Possible values to set:
X-Xss-Protection 1; mode=block;
X-Xss-Protection 1
X-Xss-Protection 0
Depending on your needs you may consider disabling it, which is the last option, but be aware of the security implications of disabling the XSS Auditor.
Related
I recently have tried to update settings on the server of a non-profit website I host and have run into configuration issues in regards to the Permissions Policy. I haven't found many examples of the proper use-case and syntax to use for this setting and thus have run into errors in the Chrome console for cimarronoutdoors.org. Here is the Permissions Policy I am trying.
Header always set Permissions-Policy "geolocation=();midi=();microphone=();camera=();fullscreen=(self);payment=()"
In the console it returns the following.
Error with Permissions-Policy header: Parse of permission policy failed because of errors reported by strctured header parser.
I have tried only listing items from the link below and limiting it to a few to see if that might be the issue but I can't get the error to go away.
https://github.com/w3c/webappsec-permissions-policy/blob/main/features.md
Any advice on this issue would be greatly appreciated.
Server OS: Ubuntu 16.04.7 LTS
Permission Policy set in site conf file.
I found out that the scheme changed from microphone 'none'; geolocation *; payment https://*.paypal.com; to microphone=(),geolocation=*,payment=("https://*.paypal.com").
At the moment the below code is valid, so it won't produce nor the "We didn't detect a viable policy." on securityheaders.com neither the "Error with Permissions-Policy header: Parse of permissions policy failed because of errors reported by structured header parser." in Google Chrome console.
Keep in mind to properly escape double quotes in configs, use commas instead of semi-colons (as mentioned also below) and use the "new format".
nginx.conf example:
add_header Permissions-Policy "accelerometer=(),autoplay=(),camera=(),encrypted-media=(),fullscreen=*,geolocation=*,gyroscope=(),interest-cohort=(),magnetometer=(),microphone=(),midi=(),payment=(\"https://*.paypal.com\" \"https://*.barion.com\"),sync-xhr=*,usb=(),xr-spatial-tracking=()" always;
apache.conf example:
Header always set Permissions-Policy "accelerometer=(),autoplay=(),camera=(),encrypted-media=(),fullscreen=*,geolocation=*,gyroscope=(),interest-cohort=(),magnetometer=(),microphone=(),midi=(),payment=(\"https://*.paypal.com\" \"https://*.barion.com\"),sync-xhr=*,usb=(),xr-spatial-tracking=()"
Use commas instead of semicolons as delimiters.
See example here:
https://www.w3.org/TR/permissions-policy-1/#policy-directive
The way to creating Permission-Policy has changed.
You have to add parentheses around lists, use commas instead of semi-colons, and add double-quotes around most strings:
fullscreen=(self 'https://example.com'), geolocation=*, camera=()
Here's a link: Appendix: Big changes since this was called Feature Policy
I am trying to confgiure a re-write action on our Citrix Netscaler load balancers to add in the Report-To response header as we want to setup Network Error Logging but struggling with the Syntax.
The example I have is below, (I add in our subdomain details) but it's failing to work - Im confident that the process is correct as we have added in a HSTS header, it's just the syntax we think is out:
This is the syntax we are using:
Report-To: {"group":"default","max_age":31536000,"endpoints":
[{"url":"https://{subdomain}.report-uri.com/a/d/g"}],"include_subdomains":true}
This is the error:
Expression syntax error [^{"group":", Offset 0]
Has anyone added this header in before on a netscaler / or have an idea where we may be going wrong ?
Many thanks in advance
I'm pretty sure you are not escaping the " correctly. You can directly run the commands below on the CLI to add the expression to your NetScaler
add rewrite action insert_report_to_header insert_http_header Report-To q<"{\"group\":\"default\",\"max_age\":31536000,\"endpoints\":[{\"url\":\"https:\\/\\/{subdomain}.report-uri.com\\/a\\/d\\/g\"}],\"include_subdomains\":true}">
add rewrite policy report-to-header true insert_report_to_header
We face the "net::ERR_INCOMPLETE_CHUNKED_ENCODING" errors on our production site and cant find any working solution. StackOverflow is full of questions on this subject and we tried this and that but no working solution found. Our system is based on Symfony2+PHP5.6+Apache 2.4.x running on CentOS7.
Symptoms are that app is working fine when server starts ... but after some time the browser reports "net::ERR_INCOMPLETE_CHUNKED_ENCODING" errors and doest show certain pages (because they are loaded incompletely). Restarting apache fixes this for some time but it appears again soon. StackOverflow contains a lot of different hints that doesnt help us to understand the source of the problem. Can anyone give us some REAL hint here?
After further investigation I found out that server sends incorrect content-lenght information to browser for some reasons and its the source of the error.
To adjust this I have enabled content gzipping by adding 'SetOutputFilter DEFLATE' to Apache config file see details here http://httpd.apache.org/docs/2.4/mod/mod_deflate.html . This simple setting caused 'ERR_INCOMPLETE_CHUNKED_ENCODING' error to disappear and apps are working correctly for now. Whats more by gzipping the content the bandwidth dropped significantly.
In the context of a Controller in Drupal 8 (works for Symfony Framework as well) this solution worked for me:
$response = new Response($form_markup, 200, array(
'Cache-Control' => 'no-cache',
));
$content = $response->getContent();
$contentLength = strlen($content);
$response->headers->set('Content-Length', $contentLength);
return $response;
Otherwise the response header 'Transfer-Encoding' got a value 'chunked'. This may be a problem for some browsers.
I use compress() middleware, put it the first in configure().
app.configure('all', function(){
app.use(express.compress());
...
app.use(express.static('public'), { maxAge: oneMonth });
})
How do I check that my content is gzipped? I've got a fricking strange situation:
1) On my dev machine: I reqeust localhost:4000/mystyle.css - DON'T see Content-encoding: gzip
2) When I deploy it on production if I request the file it self mydomain.com/mystyle.css - I SEE there see Content-encoding: gzip
3) I request mydomain.com and see in Network in chrome dev tools, find there mystyle.css and there I DON'T see Content-encoding: gzip
4) I use different services to check if my content is gzipped some says that it IS, some that it IS NOT.
WTF? Can some one explain?
Your issue is your use of app.configure. This is largely deprecated, but you're specifically using it such that you're looking for an all environment.
The documentation explains: "This method remains for legacy reason, and is effectively an if statement as illustrated in the following snippets."
Instead, just use the app.use without wrapping them in a configure statement.
While downloading excel file on IE8 over SSL, we are getting error: "Unable to download Document.ashx from MyHostName.Unable to open this Internet site. The requested site is either unavailable or cannot be found. Please try again later."
We tried couple of solutions, but none of them worked except regedit(which is not viable).
1)Tried the registry edit as per http://support.microsoft.com/kb/323308 and it worked. But, this is not a viable solution.
2) Tried the solution as per this link http://support.microsoft.com/kb/815313 where they say the files will download if you ‘copy shortcut’ and run it on via the browser URL. But, this solution was not consistent and worked sometimes but mostly did not work.
3) Update our java controller code to response.setHeader("Cache-Control", " must-revalidate, private "); response.setDateHeader("Expires", -1) but still when we look at the header it shows as "cache-control: no-cache". this solution is also not working
4) Un-Check the Option to ‘Not Save Encrypted files to Disk” on IE 8 Browser. But that also not working. http://blogs.msdn.com/b/ieinternals/archive/2010/04/21/internet-explorer-may-bypass-cache-for-cross-domain-https-content.aspx and
http://support.microsoft.com/kb/2549423
also searched on internet with various options suggested as above, but none of them are working full proof.
if anyone has solution other than listed above. please do share it.
Thanks
I had the same problem and I discovered, that a header:
Pragma: private
will fix this.
Make sure that "no-store" and "no-cache" occur in your header in that order. IE8 pukes if it's reversed.
Check out the update at the end of this post: Internet Explorer Cannot Download https://something
I found that I needed to also remove the "pragma" header to make it work. Apparently, pragma is not intended for responses although I don't know if any old browsers out there require it.
Source: Difference between Pragma and Cache-control headers?
The problem is that if the server sends to the browser an http header that disables caching, Explorer gives an error. We also tried all the solutions you said without luck, but analyzing the http response we saw that the application server added no-cache= "Set-Cookie" http header automatically and it disabled IE8 caching... There is a setting that can be made on the AS but in our case we could not do it, so we changed our cookie-management code server side and we resolved the problem.
I have faced this issue and following entry resolve this problem
response.setContentType("application/vnd.ms-xls; charset=utf-8");
response.setHeader("Content-disposition","attachment;filename="+filename);
response.setHeader("Pragma", "public");
response.setHeader("Cache-Control", "public, max-age=3800");