"content security policy violation reported on page" in default bs3 project

217 views
Skip to first unread message

sebastian....@gmail.com

unread,
Nov 15, 2016, 10:21:41 AM11/15/16
to Lift
Hi,
first of all congrats to the new release :)

Now i wanted to play around with the new lift features and but get bombarded with stuff like:

[success] Total time: 53 s, completed Nov 15, 2016 4:04:07 PM
> 2016-11-15 16:04:21,859 [qtp169464192-70] WARN  net.liftweb.http.LiftRules - Content security policy violation reported on page
       | 'http://localhost:8080/' from referrer '':
       | 'self' was blocked because it violated the
       | directive 'style-src http://localhost:8080'. The policy that specified
       | this directive is: 'default-src http://localhost:8080; img-src *; script-src http://localhost:8080; style-src http://localhost:8080; report-uri http://localhost:8080/lift/content-security-policy-report'.
2016-11-15 16:04:24,029 [qtp169464192-70] WARN  net.liftweb.http.LiftRules - Content security policy violation reported on page
       | 'http://localhost:8080/user_mgt/login' from referrer 'http://localhost:8080/':
       | 'self' was blocked because it violated the
       | directive 'style-src http://localhost:8080'. The policy that specified
       | this directive is: 'default-src http://localhost:8080; img-src *; script-src http://localhost:8080; style-src http://localhost:8080; report-uri http://localhost:8080/lift/content-security-policy-report'.
2016-11-15 16:04:25,932 [qtp169464192-70] WARN  net.liftweb.http.LiftRules - Content security policy violation reported on page
       | 'http://localhost:8080/user_mgt/sign_up' from referrer 'http://localhost:8080/user_mgt/login':
       | 'self' was blocked because it violated the
       | directive 'style-src http://localhost:8080'. The policy that specified
       | this directive is: 'default-src http://localhost:8080; img-src *; script-src http://localhost:8080; style-src http://localhost:8080; report-uri http://localhost:8080/lift/content-security-policy-report'.
2016-11-15 16:04:29,766 [qtp169464192-69] WARN  net.liftweb.http.LiftRules - Content security policy violation reported on page
       | 'http://localhost:8080/index' from referrer 'http://localhost:8080/user_mgt/sign_up':
       | 'self' was blocked because it violated the
       | directive 'style-src http://localhost:8080'. The policy that specified
       | this directive is: 'default-src http://localhost:8080; img-src *; script-src http://localhost:8080; style-src http://localhost:8080; report-uri http://localhost:8080/lift/content-security-policy-report'.
2016-11-15 16:04:33,887 [qtp169464192-67] WARN  net.liftweb.http.LiftRules - Content security policy violation reported on page
       | 'http://localhost:8080/user_mgt/login' from referrer 'http://localhost:8080/index':
       | 'self' was blocked because it violated the
       | directive 'style-src http://localhost:8080'. The policy that specified
       | this directive is: 'default-src http://localhost:8080; img-src *; script-src http://localhost:8080; style-src http://localhost:8080; report-uri http://localhost:8080/lift/content-security-policy-report'.


I just downloaded the lift zip from the main page, extracted the lift_advanced_bs3 package and ran "container:start" in sbt and clicked on a couple of buttons on the page.

This is just the default project nothing altered at all.

I know it is the new security stuff (which seems to be a nice addition).
But isn't this supposed to work out of the box with a default project and not lob a ton of warnings in an unsuspecting users face?
Did i miss something and foremost how do i get rid of this?

Greetings
Sebastian

Antonio Salazar Cardozo

unread,
Nov 15, 2016, 10:41:09 AM11/15/16
to Lift
Hmm, I thought we'd loosened the CSP rules for those. Will have a look later today.

Meantime, I think this is what you need in Boot:

import net.liftweb.http._
  import ContentSourceRestriction._

...

  def boot = {
    ...

    LiftRules.securityRules = () => SecurityRules(content = Some(ContentSecurityPolicy(styleSources = List(Self, UnsafeInline))))
  }

...

Thanks,
Antonio

Diego Medina

unread,
Nov 15, 2016, 10:55:38 AM11/15/16
to Lift
updating the sample project now ....

--
--
Lift, the simply functional web framework: http://liftweb.net
Code: http://github.com/lift
Discussion: http://groups.google.com/group/liftweb
Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code

---
You received this message because you are subscribed to the Google Groups "Lift" group.
To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
Diego Medina
Lift/Scala Consultant
di...@fmpwizard.com
https://blog.fmpwizard.com/

sebastian....@gmail.com

unread,
Nov 15, 2016, 11:08:30 AM11/15/16
to Lift
Yep that did help. Those SCP warnings seem to be truly paranoid.
Thank you.

Sebastian
To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+u...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Diego Medina

unread,
Nov 15, 2016, 2:00:51 PM11/15/16
to Lift
fixed (for now) https://github.com/lift/lift_30_sbt/pull/12
the real fix would be to update the project so it doesn't generate those warnings to begin with, if anyone has time for it, feel free to send a Pull request.

Thanks

Diego 


To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Peter Petersson

unread,
Nov 15, 2016, 4:22:32 PM11/15/16
to lif...@googlegroups.com

Yes that would be nice !

I have actually flushed out a lot of stuff over time but looking at warnings like the following (below) hasn't given me any hint on what is needed to amend the warning's, trying to access the report has never worked for me (gives me "Unrecognized format for content security policy report.") don't know if that would have helped though.

Although the below warning is just one example I would really appreciate if someone could point me in the right direction to amend the problem and I would be happy to try to fix the problem without having to brute force and resolve to use the UnsafeInline directive.

One observation is that if you are using chrome ( Version 54.0.2840.71 (64-bit)) you are not seeing any warnings at all although i get some information in the dev tools security tab about "origin not being secure" for a chrome-extension but in firefox (49.0.2) you get them (the console log warnings), I have suspected browser plugins having something to do with it but that might just be because I have not been able to make sense of the warning messages ;)

best regards Peter Petersson

> 2016-11-15 20:40:46,966 [qtp2028504886-79] WARN  net.liftweb.http.LiftRules - Content security policy violation reported on page


       | 'http://localhost:8080/user_mgt/login' from referrer 'http://localhost:8080/':
       | 'self' was blocked because it violated the

       | directive 'script-src http://localhost:8080'. The policy that specified


       | this directive is: 'default-src http://localhost:8080; img-src *; script-src http://localhost:8080; style-src http://localhost:8080; report-uri http://localhost:8080/lift/content-security-policy-report'.

best regards Peter Petersson

Antonio Salazar Cardozo

unread,
Nov 15, 2016, 4:49:44 PM11/15/16
to Lift
Yes, I think unsafe inline and unsafe eval have pretty mediocre error messages
unfortunately heh.

The unrecognized format issue should have been fixed I think with https://github.com/lift/framework/pull/1798 in RC4?

Might be wrong though.
Thanks,
Antonio

Peter Petersson

unread,
Nov 16, 2016, 12:52:13 AM11/16/16
to liftweb

Yes Antonio you are probably right on both accounts, I whas running on a RC.

If no one beats me to it, I will, as soon as I get some time, take a look at this again and if possible replace the unsafe inline with something less brute.
As far as I know the templates and the resulting pages should be pretty clean.

Best regards Peter Petersson

Peter Petersson

unread,
Nov 16, 2016, 4:57:08 PM11/16/16
to lif...@googlegroups.com

I have been taking a closer look at this and if we do not want to, puzzle or alarm new lift users, when running Lift's template applications due to CSP warnings reported in the sbt console when running the app, setting the UnsafeInline might (currently) be the only way, I base this on the following observations:

1) The tested lift/app code is totally clean from any unsafe inline (script or style) code (correct me if I have missed anything)

2) When i run the app Firefox reports CSP warnings as I have some browser plugins installed that in my case injects a image in input fields (like adding style="background-image: url("data:image/png;base64,....), so if a user has something similar or a plugin that dose some other funky stuff warnings is going to pop up even if the application code is free from inline script or style.

1 and 2 above mens that with the current CSP warning reporting policy we unfortunately don't seem to have much of a option other than to set UnsafeInline on script and style sources.

In my case when I run the same app (https://github.com/lift/lift_30_sbt/lift_advanced_bs3) in chrome I do not get any warnings at all.

best regards Peter Petersson

On 2016-11-15 20:00, Diego Medina wrote:

Antonio Salazar Cardozo

unread,
Nov 16, 2016, 6:26:56 PM11/16/16
to Lift
Hmmm… do those warnings actually prevent the page from operating well, or
are they simply interfering with the extension's functionality?

I don't think we should be reducing default security to accommodate extensions if
at all possible, to be honest. Any site using CSP will be subject to the same extension
bugs, and ultimately our target audience are developers. We'll be here to help them if
needed, but in fact the whole goal of CSP is to prevent untrusted code like that from
running inline.
Thanks,
Antonio

Peter Petersson

unread,
Nov 17, 2016, 12:50:17 AM11/17/16
to liftweb

I totaly agree, and that's why I think it  is unfortunate that we now resort to setting UnsafeInline by default in the template apps.
I have not had any issue with apps running in production so no the pages operate as they should.

BTW when trying to access the report the console shows a error about  Empty.

Best regards Peter Petersson

Antonio Salazar Cardozo

unread,
Nov 17, 2016, 9:40:34 AM11/17/16
to Lift
Ah yes! Agreed---I think we're all on board with trying to fix that when one
of us has time though. First to issue a PR gets a confetti ball emoji! ;)
Thanks,
Antonio

Henrik Härkönen

unread,
Feb 8, 2017, 4:01:05 PM2/8/17
to Lift
Hi!

I've been wondering these warnings as well, and I tried to put this into boot:


LiftRules.securityRules = () => SecurityRules(content = Some(ContentSecurityPolicy(styleSources = List(Self, UnsafeInline))))

but they still keep piling up. (3.1.0-M1) Was there something else needed to be done? I really didn't yet understand the whole concept and how it's
working in Lift, but maybe some day. :) For now I'd just like to get my console back. ;)

-Henrik

Peter Petersson

unread,
Feb 9, 2017, 12:58:43 AM2/9/17
to liftweb
Take a look at my "closer look" reply above. 

If you are running a unmodified lift BS template app or another app that you know is clean from inline css / script an you get warnings when you run the app then it is likely that the browser injects something to the running page via some browser plugin. 
It dossen't seem to be any easy fix for that one but at least you as a developer/tester can test your app with a browser that dose not have any plugins and be sure your own app code is safe when you don't get any CSP warnings or errors. 

Best regards Peter Petersson 

--

Henrik Härkönen

unread,
Feb 9, 2017, 1:57:16 PM2/9/17
to Lift
Oh, now I kind of get it what this CSP is all about... maybe. :)

Hmm, I have to try that clean template later...

On my current project, I don't have anymore css in <style> tags inside the html, nor JavaScript inside <script>, but still I get some of these, not so much though.

I noticed that now different browsers act differently:

- Chrome: on page load nothing, on ajax calls warnings
- Edge (clean install, never used): on page load warnings, on ajax calls nothing
- Firefox: warnings for both cases, page load and ajax calls.

I'll investigate more...

-Henrik
To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+u...@googlegroups.com.

Henrik Härkönen

unread,
Feb 9, 2017, 4:13:10 PM2/9/17
to Lift
Ok, so the BS template is ok, so I'm not writing on proper topic here. :)

I'm now using

LiftRules.securityRules = () => SecurityRules(
content = Some(
ContentSecurityPolicy(
defaultSources = List(Self, UnsafeInline),
scriptSources = List(Self, UnsafeInline, UnsafeEval)
)
)
)

I guess that's needed to use ajaxButton, since it creates "onClick"s to the buttons, right? That was the only way I could get the browser happy. :)

-Henrik

Antonio Salazar Cardozo

unread,
Feb 10, 2017, 2:14:46 PM2/10/17
to Lift
The alternative is to enable LiftRules.extractInlineJavaScript. That should
extract all inline event handlers, both in regular page renders and AJAX HTML
responses, so that you can use a stricter content security policy.
Thanks,
Antonio

Henrik Härkönen

unread,
Feb 10, 2017, 2:41:54 PM2/10/17
to Lift
Ok, thanks for the tip, Antonio! Maybe it's a good idea to keep it (more) strict.

Just started to wonder how mobile browsers support CSP, when even desktop browsers act a bit differently... Seems that 2/3 of traffic is  mobile these days, at least to my sites. :)

-Henrik

You received this message because you are subscribed to a topic in the Google Groups "Lift" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/liftweb/0DyjqxY9aC0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to liftweb+u...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages