--
--
Lift, the simply functional web framework: http://liftweb.net
Code: http://github.com/lift
Discussion: http://groups.google.com/group/liftweb
Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code
---
You received this message because you are subscribed to the Google Groups "Lift" group.
To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+u...@googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+unsubscribe@googlegroups.com.
Yes that would be nice !
I have actually flushed out a lot of stuff over time but looking
at warnings like the following (below) hasn't given me any hint on
what is needed to amend the warning's, trying to access the report
has never worked for me (gives me "Unrecognized format for content
security policy report.") don't know if that would have helped
though.
Although the below warning is just one example I would really
appreciate if someone could point me in the right direction to
amend the problem and I would be happy to try to fix the problem
without having to brute force and resolve to use the UnsafeInline directive.
One observation is that if you are using chrome (
Version 54.0.2840.71 (64-bit)) you are not
seeing any warnings at all although i get some information in the
dev tools security tab about "origin not being secure" for a
chrome-extension but in firefox (49.0.2) you get them (the console
log warnings), I have suspected browser plugins having something
to do with it but that might just be because I have not been able
to make sense of the warning messages ;)
best regards Peter Petersson
> 2016-11-15 20:40:46,966 [qtp2028504886-79] WARN net.liftweb.http.LiftRules - Content security policy violation reported on page
| 'http://localhost:8080/user_mgt/login' from referrer
'http://localhost:8080/':
| 'self' was blocked because it violated the
| directive 'script-src http://localhost:8080'. The policy that specified
| this directive is: 'default-src http://localhost:8080;
img-src *; script-src http://localhost:8080; style-src
http://localhost:8080; report-uri
http://localhost:8080/lift/content-security-policy-report'.
best regards Peter Petersson
Yes Antonio you are probably right on both accounts, I whas running on a RC.
If no one beats me to it, I will, as soon as I get some time, take a look at this again and if possible replace the unsafe inline with something less brute.
As far as I know the templates and the resulting pages should be pretty clean.
Best regards Peter Petersson
I have been taking a closer look at this and if we do not want to, puzzle or alarm new lift users, when running Lift's template applications due to CSP warnings reported in the sbt console when running the app, setting the UnsafeInline might (currently) be the only way, I base this on the following observations:
1) The tested lift/app code is totally clean from any unsafe
inline (script or style) code (correct me if I have missed
anything)
2) When i run the app Firefox reports CSP warnings as I have some browser plugins installed that in my case injects a image in input fields (like adding style="background-image: url("data:image/png;base64,....), so if a user has something similar or a plugin that dose some other funky stuff warnings is going to pop up even if the application code is free from inline script or style.
1 and 2 above mens that with the current CSP warning reporting policy we unfortunately don't seem to have much of a option other than to set UnsafeInline on script and style sources.
In my case when I run the same app (https://github.com/lift/lift_30_sbt/lift_advanced_bs3)
in chrome I do not get any warnings at all.
I totaly agree, and that's why I think it is unfortunate that we now resort to setting UnsafeInline by default in the template apps.
I have not had any issue with apps running in production so no the pages operate as they should.
BTW when trying to access the report the console shows a error about Empty.
Best regards Peter Petersson
--
To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+u...@googlegroups.com.
LiftRules.securityRules = () => SecurityRules(
content = Some(
ContentSecurityPolicy(
defaultSources = List(Self, UnsafeInline),
scriptSources = List(Self, UnsafeInline, UnsafeEval)
)
)
)
You received this message because you are subscribed to a topic in the Google Groups "Lift" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/liftweb/0DyjqxY9aC0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to liftweb+u...@googlegroups.com.