lift 3.0 net/liftweb/util/BindHelpers java.lang.ClassNotFoundException
246 views
Skip to first unread message
Lachlan Deck
Aug 4, 2015, 1:19:36 AM8/4/15
to Liftweb Group
Hi all,
I cloned the lift_26_repo and am working on a 3.0-M6 branch but am getting an exception running the app. i.e., the above class is not found.
What might I be missing for 3.0?
Thanks!
In build.sbt I have the following:
—
libraryDependencies ++= {
val liftVersion = "3.0-M6"
Seq(
"net.liftweb" %% "lift-webkit" % liftVersion % "compile",
"net.liftweb" %% "lift-mapper" % liftVersion % "compile",
"net.liftmodules" %% "fobo_2.6" % "1.3" % "compile",
...
"javax.servlet" % "javax.servlet-api" % "3.1.0" % "provided",
"org.eclipse.jetty" % "jetty-webapp" % "9.2.13.v20150730" % "jetty,test",
"org.eclipse.jetty" % "jetty-plus" % "9.2.13.v20150730" % "jetty,test" // For Jetty Config
)
}
enablePlugins(JettyPlugin)
val liftVersion = "3.0-M6"
Seq(
"net.liftweb" %% "lift-webkit" % liftVersion % "compile",
"net.liftweb" %% "lift-mapper" % liftVersion % "compile",
"net.liftmodules" %% "fobo_2.6" % "1.3" % "compile",
...
"javax.servlet" % "javax.servlet-api" % "3.1.0" % "provided",
"org.eclipse.jetty" % "jetty-webapp" % "9.2.13.v20150730" % "jetty,test",
"org.eclipse.jetty" % "jetty-plus" % "9.2.13.v20150730" % "jetty,test" // For Jetty Config
)
}
enablePlugins(JettyPlugin)
in project/plugins.sbt:
addSbtPlugin("com.earldouglas" % "xsbt-web-plugin" % "2.0.4”)
…
So running the app as follows:
$ ./sbt
> clean
> jetty:start
[info] Updating {file:.../scala_211/lift_advanced_bs3/}lift_advanced_bs3...
[info] Resolving jline#jline;2.12.1 ...
[info] Done updating.
[info] Compiling 4 Scala sources to .../scala_211/lift_advanced_bs3/target/scala-2.11/classes...
[info] Packaging .../scala_211/lift_advanced_bs3/target/scala-2.11/lift-v3-0-template-application-with-bootstrap-v3_2.11-0.0.5.jar ...
[info] Done packaging.
[info] waiting for server to shut down...
[info] starting server ...
[success] Total time: 6 s, completed 04/08/2015 2:56:53 PM
> 2015-08-04 14:56:53.176:INFO::main: Logging initialized @113ms
2015-08-04 14:56:53.181:INFO:oejr.Runner:main: Runner
2015-08-04 14:56:53.245:INFO:oejs.Server:main: jetty-9.2.1.v20140609
2015-08-04 14:56:55.252:WARN:oeja.AnnotationConfiguration:main: ServletContainerInitializers: detected. Class hierarchy: empty
2015-08-04 14:56:55.877:WARN:oejuc.AbstractLifeCycle:main: FAILED o.e.j.w.WebAppContext@233c0b17{/,file:.../scala_211/lift_advanced_bs3/target/webapp/,STARTING}{file:.../scala_211/lift_advanced_bs3/target/webapp/}: java.lang.NoClassDefFoundError: net/liftweb/util/BindHelpers$TheStrBindParam
java.lang.NoClassDefFoundError: net/liftweb/util/BindHelpers$TheStrBindParam
at code.model.User$.<init>(User.scala:15)
at code.model.User$.<clinit>(User.scala)
at bootstrap.liftweb.Boot.boot(Boot.scala:40)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at net.liftweb.util.ClassHelpers$$anonfun$createInvoker$1.apply(ClassHelpers.scala:357)
at net.liftweb.util.ClassHelpers$$anonfun$createInvoker$1.apply(ClassHelpers.scala:355)
at net.liftweb.http.DefaultBootstrap$$anonfun$boot$1.apply(LiftRules.scala:2117)
at net.liftweb.http.DefaultBootstrap$$anonfun$boot$1.apply(LiftRules.scala:2117)
at net.liftweb.common.Full.map(Box.scala:806)
at net.liftweb.http.DefaultBootstrap$.boot(LiftRules.scala:2117)
at net.liftweb.http.provider.HTTPProvider$class.bootLift(HTTPProvider.scala:88)
at net.liftweb.http.LiftFilter.bootLift(LiftServlet.scala:1063)
at net.liftweb.http.provider.servlet.ServletFilterProvider$class.init(ServletFilterProvider.scala:40)
at net.liftweb.http.LiftFilter.init(LiftServlet.scala:1063)
at org.eclipse.jetty.servlet.FilterHolder.initialize(FilterHolder.java:137)
at org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:831)
at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:300)
at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1341)
at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1334)
at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:744)
at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:497)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:60)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:154)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:60)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
at org.eclipse.jetty.server.Server.start(Server.java:357)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:60)
at org.eclipse.jetty.server.Server.doStart(Server.java:324)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.runner.Runner.run(Runner.java:509)
at org.eclipse.jetty.runner.Runner.main(Runner.java:557)
Caused by:
java.lang.ClassNotFoundException: net.liftweb.util.BindHelpers$TheStrBindParam
at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:449)
at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:402)
at code.model.User$.<init>(User.scala:15)
at code.model.User$.<clinit>(User.scala)
at bootstrap.liftweb.Boot.boot(Boot.scala:40)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at net.liftweb.util.ClassHelpers$$anonfun$createInvoker$1.apply(ClassHelpers.scala:357)
at net.liftweb.util.ClassHelpers$$anonfun$createInvoker$1.apply(ClassHelpers.scala:355)
at net.liftweb.http.DefaultBootstrap$$anonfun$boot$1.apply(LiftRules.scala:2117)
at net.liftweb.http.DefaultBootstrap$$anonfun$boot$1.apply(LiftRules.scala:2117)
at net.liftweb.common.Full.map(Box.scala:806)
at net.liftweb.http.DefaultBootstrap$.boot(LiftRules.scala:2117)
at net.liftweb.http.provider.HTTPProvider$class.bootLift(HTTPProvider.scala:88)
at net.liftweb.http.LiftFilter.bootLift(LiftServlet.scala:1063)
at net.liftweb.http.provider.servlet.ServletFilterProvider$class.init(ServletFilterProvider.scala:40)
at net.liftweb.http.LiftFilter.init(LiftServlet.scala:1063)
at org.eclipse.jetty.servlet.FilterHolder.initialize(FilterHolder.java:137)
at org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:831)
at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:300)
at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1341)
at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1334)
at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:744)
at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:497)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:60)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:154)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:60)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
at org.eclipse.jetty.server.Server.start(Server.java:357)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:60)
at org.eclipse.jetty.server.Server.doStart(Server.java:324)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.runner.Runner.run(Runner.java:509)
at org.eclipse.jetty.runner.Runner.main(Runner.java:557)
2015-08-04 14:56:55.879:WARN:oejuc.AbstractLifeCycle:main: FAILED org.eclipse.jetty.server.handler.ContextHandlerCollection@dbd8e44: java.lang.NoClassDefFoundError: net/liftweb/util/BindHelpers$TheStrBindParam
kind regards,
Lachlan Deck
Lachlan Deck
Matt Farmer
Aug 4, 2015, 7:40:42 AM8/4/15
to lif...@googlegroups.com
What version of Java are you using?
--
--
Lift, the simply functional web framework: http://liftweb.net
Code: http://github.com/lift
Discussion: http://groups.google.com/group/liftweb
Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code
---
You received this message because you are subscribed to the Google Groups "Lift" group.
To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Lachlan Deck
Aug 4, 2015, 8:29:33 AM8/4/15
to lif...@googlegroups.com
lift_30_sbt is, as yet, blank :) But yes, once it’s working.
(https://github.com/lift/lift_30_sbt)
$ java -version
java version "1.8.0_51"
Java(TM) SE Runtime Environment (build 1.8.0_51-b16)
Java HotSpot(TM) 64-Bit Server VM (build 25.51-b03, mixed mode)
Switching between 1.8 and 1.7 makes no difference.
But, it might be fobo.
So with the following, the previously mentioned exception occurs.
"net.liftmodules" % "fobo_3.0_2.10" % "1.3" % "compile",
Then the following exception occurs instead...
[info] Done packaging.
[info] starting server ...
[success] Total time: 16 s, completed 04/08/2015 9:55:04 PM
> 2015-08-04 21:55:04.869:INFO::main: Logging initialized @79ms
2015-08-04 21:55:04.879:INFO:oejr.Runner:main: Runner
2015-08-04 21:55:05.001:INFO:oejs.Server:main: jetty-9.2.1.v20140609
2015-08-04 21:55:07.325:WARN:oeja.AnnotationConfiguration:main: ServletContainerInitializers: detected. Class hierarchy: empty
2015-08-04 21:55:08.252:WARN:oejuc.AbstractLifeCycle:main: FAILED o.e.j.w.WebAppContext@215a730d{/,file:.../lift_sbt/scala_211/lift_advanced_bs3/target/webapp/,STARTING}{file:.../lift_sbt/scala_211/lift_advanced_bs3/target/webapp/}: java.lang.NoClassDefFoundError: scala/runtime/AbstractPartialFunction$mcZL$sp
java.lang.NoClassDefFoundError: scala/runtime/AbstractPartialFunction$mcZL$sp
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:800)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at org.eclipse.jetty.webapp.WebAppClassLoader.findClass(WebAppClassLoader.java:482)
at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:440)
at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:402)
at net.liftmodules.FoBo.package$.init(FoBo.scala:107)
at bootstrap.liftweb.Boot.boot(Boot.scala:54)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
kind regards,
Lachlan Deck
(https://github.com/lift/lift_30_sbt)
$ java -version
java version "1.8.0_51"
Java(TM) SE Runtime Environment (build 1.8.0_51-b16)
Java HotSpot(TM) 64-Bit Server VM (build 25.51-b03, mixed mode)
Switching between 1.8 and 1.7 makes no difference.
But, it might be fobo.
So with the following, the previously mentioned exception occurs.
"net.liftmodules" %% "fobo_2.6" % "1.3" % "compile",
Using fobo 3.0, which only has a scala 2.10 build,
"net.liftmodules" % "fobo_3.0_2.10" % "1.3" % "compile",
Then the following exception occurs instead...
[info] Done packaging.
[info] starting server ...
[success] Total time: 16 s, completed 04/08/2015 9:55:04 PM
> 2015-08-04 21:55:04.869:INFO::main: Logging initialized @79ms
2015-08-04 21:55:04.879:INFO:oejr.Runner:main: Runner
2015-08-04 21:55:05.001:INFO:oejs.Server:main: jetty-9.2.1.v20140609
2015-08-04 21:55:07.325:WARN:oeja.AnnotationConfiguration:main: ServletContainerInitializers: detected. Class hierarchy: empty
2015-08-04 21:55:08.252:WARN:oejuc.AbstractLifeCycle:main: FAILED o.e.j.w.WebAppContext@215a730d{/,file:.../lift_sbt/scala_211/lift_advanced_bs3/target/webapp/,STARTING}{file:.../lift_sbt/scala_211/lift_advanced_bs3/target/webapp/}: java.lang.NoClassDefFoundError: scala/runtime/AbstractPartialFunction$mcZL$sp
java.lang.NoClassDefFoundError: scala/runtime/AbstractPartialFunction$mcZL$sp
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:800)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at org.eclipse.jetty.webapp.WebAppClassLoader.findClass(WebAppClassLoader.java:482)
at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:440)
at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:402)
at net.liftmodules.FoBo.package$.init(FoBo.scala:107)
at bootstrap.liftweb.Boot.boot(Boot.scala:54)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
Lachlan Deck
Lachlan Deck
Aug 4, 2015, 8:30:32 AM8/4/15
to lif...@googlegroups.com
I can get the lift_basic app working for 3.0, though with the following security violations.
How should they be fixed?
2015-08-04 22:22:35,386 [qtp1836635453-32] WARN net.liftweb.http.LiftRules - Content security policy violation reported on page
| 'http://localhost:8080/' from referrer '':
| '' was blocked because it violated the
| directive 'default-src 'self''. The policy that specified
| this directive is: 'script-src 'unsafe-eval' 'self'; default-src 'self'; img-src *; report-uri /lift/content-security-policy-report'.
2015-08-04 22:22:35,386 [qtp1836635453-35] WARN net.liftweb.http.LiftRules - Content security policy violation reported on page
| 'http://localhost:8080/' from referrer '':
| '' was blocked because it violated the
| directive 'default-src 'self''. The policy that specified
| this directive is: 'script-src 'unsafe-eval' 'self'; default-src 'self'; img-src *; report-uri /lift/content-security-policy-report'.
2015-08-04 22:22:35,386 [qtp1836635453-34] WARN net.liftweb.http.LiftRules - Content security policy violation reported on page
| 'http://localhost:8080/' from referrer '':
| '' was blocked because it violated the
| directive 'default-src 'self''. The policy that specified
| this directive is: 'script-src 'unsafe-eval' 'self'; default-src 'self'; img-src *; report-uri /lift/content-security-policy-report'.
2015-08-04 22:22:35,386 [qtp1836635453-11] WARN net.liftweb.http.LiftRules - Content security policy violation reported on page
| 'http://localhost:8080/' from referrer '':
| '' was blocked because it violated the
| directive 'default-src 'self''. The policy that specified
| this directive is: 'script-src 'unsafe-eval' 'self'; default-src 'self'; img-src *; report-uri /lift/content-security-policy-report'.
2015-08-04 22:22:35,391 [qtp1836635453-36] WARN net.liftweb.http.LiftRules - Content security policy violation reported on page
| 'http://localhost:8080/' from referrer '':
| '' was blocked because it violated the
| directive 'default-src 'self''. The policy that specified
| this directive is: 'script-src 'unsafe-eval' 'self'; default-src 'self'; img-src *; report-uri /lift/content-security-policy-report'.
For the previous exceptions I listed, they applied to the lift_advanced_bs3 template for 3.0-M6, and FoBo must be the problem.
Is there a 3.0-M6 compatible build?
Thanks.
kind regards,
Lachlan Deck
How should they be fixed?
2015-08-04 22:22:35,386 [qtp1836635453-32] WARN net.liftweb.http.LiftRules - Content security policy violation reported on page
| 'http://localhost:8080/' from referrer '':
| '' was blocked because it violated the
| directive 'default-src 'self''. The policy that specified
| this directive is: 'script-src 'unsafe-eval' 'self'; default-src 'self'; img-src *; report-uri /lift/content-security-policy-report'.
2015-08-04 22:22:35,386 [qtp1836635453-35] WARN net.liftweb.http.LiftRules - Content security policy violation reported on page
| 'http://localhost:8080/' from referrer '':
| '' was blocked because it violated the
| directive 'default-src 'self''. The policy that specified
| this directive is: 'script-src 'unsafe-eval' 'self'; default-src 'self'; img-src *; report-uri /lift/content-security-policy-report'.
2015-08-04 22:22:35,386 [qtp1836635453-34] WARN net.liftweb.http.LiftRules - Content security policy violation reported on page
| 'http://localhost:8080/' from referrer '':
| '' was blocked because it violated the
| directive 'default-src 'self''. The policy that specified
| this directive is: 'script-src 'unsafe-eval' 'self'; default-src 'self'; img-src *; report-uri /lift/content-security-policy-report'.
2015-08-04 22:22:35,386 [qtp1836635453-11] WARN net.liftweb.http.LiftRules - Content security policy violation reported on page
| 'http://localhost:8080/' from referrer '':
| '' was blocked because it violated the
| directive 'default-src 'self''. The policy that specified
| this directive is: 'script-src 'unsafe-eval' 'self'; default-src 'self'; img-src *; report-uri /lift/content-security-policy-report'.
2015-08-04 22:22:35,391 [qtp1836635453-36] WARN net.liftweb.http.LiftRules - Content security policy violation reported on page
| 'http://localhost:8080/' from referrer '':
| '' was blocked because it violated the
| directive 'default-src 'self''. The policy that specified
| this directive is: 'script-src 'unsafe-eval' 'self'; default-src 'self'; img-src *; report-uri /lift/content-security-policy-report'.
For the previous exceptions I listed, they applied to the lift_advanced_bs3 template for 3.0-M6, and FoBo must be the problem.
Is there a 3.0-M6 compatible build?
Thanks.
kind regards,
Lachlan Deck
Peter Petersson
Aug 4, 2015, 4:04:03 PM8/4/15
to lif...@googlegroups.com
hmm I did compose a mail to the list to help you with this, but as it
has not arrived I will try to formulate it again :(
To amend some of the CSP violations you can add something like the
following in Lift Boot
LiftRules.securityRules = () => {
SecurityRules(content = Some(ContentSecurityPolicy(
scriptSources = List(
ContentSourceRestriction.UnsafeEval,
ContentSourceRestriction.Self),
styleSources = List(
ContentSourceRestriction.UnsafeInline,
ContentSourceRestriction.Self)
)))
}
But better yet try to remove the inline style stuff and the you will be
able to remove the UnsafeInline security rules setting.
You should also take a look at [1] to see what more is available or what
more you can do to enhance the security settings.
I also noticed that you have fobo_2.6 in build.sbt you should change
that to fobo_3.0.
[1]
https://github.com/lift/framework/blob/master/web/webkit/src/main/scala/net/liftweb/http/SecurityRules.scala
best regards Peter Petersson
has not arrived I will try to formulate it again :(
To amend some of the CSP violations you can add something like the
following in Lift Boot
LiftRules.securityRules = () => {
SecurityRules(content = Some(ContentSecurityPolicy(
scriptSources = List(
ContentSourceRestriction.UnsafeEval,
ContentSourceRestriction.Self),
styleSources = List(
ContentSourceRestriction.UnsafeInline,
ContentSourceRestriction.Self)
)))
}
But better yet try to remove the inline style stuff and the you will be
able to remove the UnsafeInline security rules setting.
You should also take a look at [1] to see what more is available or what
more you can do to enhance the security settings.
I also noticed that you have fobo_2.6 in build.sbt you should change
that to fobo_3.0.
[1]
https://github.com/lift/framework/blob/master/web/webkit/src/main/scala/net/liftweb/http/SecurityRules.scala
best regards Peter Petersson
Peter Petersson
Aug 4, 2015, 4:07:47 PM8/4/15
to lif...@googlegroups.com
"...do to enhance the security settings. " should say "...do to enhance
the applications security. "
best regard Peter Petersson
the applications security. "
best regard Peter Petersson
Lachlan Deck
Aug 4, 2015, 4:25:12 PM8/4/15
to lif...@googlegroups.com
Hi Peter,
I do have fobo 3.0_2.10 actually. Sorry if that wasn't clear. Is there a 2.11 build?
"net.liftmodules" % "fobo_3.0_2.10" % "1.3" % "compile",
With the above I get a runtime error:
> 2015-08-05 06:24:10.405:INFO::main: Logging initialized @95ms
2015-08-05 06:24:10.420:INFO:oejr.Runner:main: Runner
2015-08-05 06:24:10.546:INFO:oejs.Server:main: jetty-9.2.1.v20140609
2015-08-05 06:24:13.205:WARN:oeja.AnnotationConfiguration:main: ServletContainerInitializers: detected. Class hierarchy: empty
2015-08-05 06:24:14.189:WARN:oejuc.AbstractLifeCycle:main: FAILED o.e.j.w.WebAppContext@4276f4a9{/,file:/Users/ldeck/Documents/dev/lift/fobo/lift_sbt/scala_211/lift_advanced_bs3/target/webapp/,STARTING}{file:/Users/ldeck/Documents/dev/lift/fobo/lift_sbt/scala_211/lift_advanced_bs3/target/webapp/}: java.lang.NoClassDefFoundError: scala/runtime/AbstractPartialFunction$mcZL$sp
kind regards,
Lachlan
Peter Petersson
Aug 4, 2015, 5:28:03 PM8/4/15
to lif...@googlegroups.com
There is only v1.4 snapshots for Scala 2.11 at this moment.
FoBo 1.4 is wrapping up and I hope to get it out within a month or so, so it might be a option for you.
I am about to finish some script helper functions that will leverage Lift 3 script pages instead of doing in-line script injections (which is more in line with Lifts awesome CSP support). At this point there is mainly API documentation updates left. I hope to have the latest API documentation up on the newly updated FoBo demo pages [1] within a few days. When that is done I will let things sink in a bit and prepare for the FoBo v1.4 release.
Except for the Script helpers documentation most of what is new and updated in FoBo v1.4 can be find in the github readme here [2] and in a few days the final (hopefully) API docks will be here [3].
[1] http://www.media4u101.se/fobo-lift-template-demo/
[2] https://github.com/karma4u101/FoBo
[3] http://www.media4u101.se/fobo-lift-template-demo/foboapi/index.html#net.liftmodules.FoBo.package
best regards Peter Petersson
Lachlan Deck
Aug 4, 2015, 8:19:54 PM8/4/15
to lif...@googlegroups.com
Hi again,
great, so just confirming fobo 1.4 snapshot fixes the other problem.
However, the security rules seemed to only partially apply. Or rather, there’s one warning that still remains after adding the code you suggested to Boot.
I’ve tried a few variations, e.g., also adding a defaultSources definition, but to no avail.
2015-08-05 09:11:17,536 [qtp402116593-21] WARN net.liftweb.http.LiftRules - Content security policy violation reported on page
| directive 'script-src 'unsafe-eval' 'self''. The policy that specified
| this directive is: 'script-src 'unsafe-eval' 'self'; style-src 'unsafe-inline' 'self'; default-src 'self'; img-src *; report-uri /lift/content-security-policy-report’.
previously, the warnings were:
2015-08-05 09:09:36,581 [qtp242541442-14] WARN net.liftweb.http.LiftRules - Content security policy violation reported on page
| directive 'script-src 'unsafe-eval' 'self''. The policy that specified
great, so just confirming fobo 1.4 snapshot fixes the other problem.
However, the security rules seemed to only partially apply. Or rather, there’s one warning that still remains after adding the code you suggested to Boot.
I’ve tried a few variations, e.g., also adding a defaultSources definition, but to no avail.
2015-08-05 09:11:17,536 [qtp402116593-21] WARN net.liftweb.http.LiftRules - Content security policy violation reported on page
| directive 'script-src 'unsafe-eval' 'self''. The policy that specified
| this directive is: 'script-src 'unsafe-eval' 'self'; style-src 'unsafe-inline' 'self'; default-src 'self'; img-src *; report-uri /lift/content-security-policy-report’.
previously, the warnings were:
2015-08-05 09:09:36,581 [qtp242541442-14] WARN net.liftweb.http.LiftRules - Content security policy violation reported on page
| directive 'script-src 'unsafe-eval' 'self''. The policy that specified
| this directive is: 'script-src 'unsafe-eval' 'self'; default-src 'self'; img-src *; report-uri /lift/content-security-policy-report'.
2015-08-05 09:09:36,581 [qtp242541442-38] WARN net.liftweb.http.LiftRules - Content security policy violation reported on page
| 'http://localhost:8080/' from referrer '':
| '' was blocked because it violated the
| directive 'default-src 'self''. The policy that specified
| this directive is: 'script-src 'unsafe-eval' 'self'; default-src 'self'; img-src *; report-uri /lift/content-security-policy-report'.
2015-08-05 09:09:36,581 [qtp242541442-34] WARN net.liftweb.http.LiftRules - Content security policy violation reported on page
| '' was blocked because it violated the
| directive 'default-src 'self''. The policy that specified
| this directive is: 'script-src 'unsafe-eval' 'self'; default-src 'self'; img-src *; report-uri /lift/content-security-policy-report'.
| 'http://localhost:8080/' from referrer '':
| '' was blocked because it violated the
| directive 'default-src 'self''. The policy that specified
| this directive is: 'script-src 'unsafe-eval' 'self'; default-src 'self'; img-src *; report-uri /lift/content-security-policy-report'.
2015-08-05 09:09:36,581 [qtp242541442-37] WARN net.liftweb.http.LiftRules - Content security policy violation reported on page
| '' was blocked because it violated the
| directive 'default-src 'self''. The policy that specified
| this directive is: 'script-src 'unsafe-eval' 'self'; default-src 'self'; img-src *; report-uri /lift/content-security-policy-report'.
| 'http://localhost:8080/' from referrer '':
| '' was blocked because it violated the
| directive 'default-src 'self''. The policy that specified
| this directive is: 'script-src 'unsafe-eval' 'self'; default-src 'self'; img-src *; report-uri /lift/content-security-policy-report'.
2015-08-05 09:09:36,586 [qtp242541442-35] WARN net.liftweb.http.LiftRules - Content security policy violation reported on page
| '' was blocked because it violated the
| directive 'default-src 'self''. The policy that specified
| this directive is: 'script-src 'unsafe-eval' 'self'; default-src 'self'; img-src *; report-uri /lift/content-security-policy-report'.
| 'http://localhost:8080/' from referrer '':
| '' was blocked because it violated the
| directive 'default-src 'self''. The policy that specified
| this directive is: 'script-src 'unsafe-eval' 'self'; default-src 'self'; img-src *; report-uri /lift/content-security-policy-report'.
2015-08-05 09:09:36,586 [qtp242541442-36] WARN net.liftweb.http.LiftRules - Content security policy violation reported on page
| '' was blocked because it violated the
| directive 'default-src 'self''. The policy that specified
| this directive is: 'script-src 'unsafe-eval' 'self'; default-src 'self'; img-src *; report-uri /lift/content-security-policy-report'.
| 'http://localhost:8080/' from referrer '':
| '' was blocked because it violated the
| directive 'default-src 'self''. The policy that specified
| this directive is: 'script-src 'unsafe-eval' 'self'; default-src 'self'; img-src *; report-uri /lift/content-security-policy-report'.
| '' was blocked because it violated the
| directive 'default-src 'self''. The policy that specified
| this directive is: 'script-src 'unsafe-eval' 'self'; default-src 'self'; img-src *; report-uri /lift/content-security-policy-report'.
Peter Petersson
Aug 5, 2015, 3:38:27 AM8/5/15
to liftweb
Good to here, mixing scala versoins is never good ;)
Regarding the violation you see, I have found that also looking at Chrome's dev tool console can give you even more hints on what's causing the violation. I am guessing that you still have some inline script code in the page and looking at the source code I can see this
<div class="lift:Msgs?showAll=true"></div>
Unfortunately in combination with having the following in boot
LiftRules.noticesAutoFadeOut.default.set( (notices: NoticeType.Value) => {
notices match {
case NoticeType.Notice => Full((8 seconds, 4 seconds))
case _ => Empty
}
}
)
<div class="lift:Msgs?showAll=true"></div>
Unfortunately in combination with having the following in boot
LiftRules.noticesAutoFadeOut.default.set( (notices: NoticeType.Value) => {
notices match {
case NoticeType.Notice => Full((8 seconds, 4 seconds))
case _ => Empty
}
}
)
generates a inline script, this is probably going to be fixed (moved to lifts page-script) prior to lift 3 release.
To be able to deploy you app in a production environment you aether have to (for now) remove the "fade out" code block or add the UnsafeInline directive to the script source block.
best regards Peter Petersson
Lachlan Deck
Aug 5, 2015, 7:20:22 PM8/5/15
to lif...@googlegroups.com
Cool. I’ve added, for now, UnsafeInline to the scriptSources list.
Is there a current alternative for inline lift:Msgs?
Is there a current alternative for inline lift:Msgs?
Peter Petersson
Aug 6, 2015, 3:23:09 AM8/6/15
to lif...@googlegroups.com
Using the inline lift:Msgs is not a issue on its own but the use of the
fading effect on the messages (currently) is as it still adds the
functionality via inline script injection. Commenting out the fading
effect should be harmless if you wish to avoid using the UnsafeInline
directive (which is a good thing to avoid).
best regards Peter Petersson
fading effect on the messages (currently) is as it still adds the
functionality via inline script injection. Commenting out the fading
effect should be harmless if you wish to avoid using the UnsafeInline
directive (which is a good thing to avoid).
best regards Peter Petersson
Lachlan Deck
Aug 6, 2015, 7:21:22 PM8/6/15
to lif...@googlegroups.com
Sounds good.
Though, in some ways it gives an indication of ideas still to be resolved, or approached differently, moving to 3.0.
What might the goal be, do you think, in terms of a sensible default for the usual webapp?
LiftRules.securityRules = () => {
SecurityRules(content = Some(ContentSecurityPolicy(
scriptSources = List(
ContentSourceRestriction.Self),
styleSources = List(
ContentSourceRestriction.Self)
)))
}
If I understand it rightly, the defaultSecurityRules need to be intentionally relaxed. It’s just a question of how much (and assuming you understand the risks).
kind regards,
Lachlan Deck
Though, in some ways it gives an indication of ideas still to be resolved, or approached differently, moving to 3.0.
What might the goal be, do you think, in terms of a sensible default for the usual webapp?
LiftRules.securityRules = () => {
SecurityRules(content = Some(ContentSecurityPolicy(
scriptSources = List(
styleSources = List(
ContentSourceRestriction.Self)
)))
}
If I understand it rightly, the defaultSecurityRules need to be intentionally relaxed. It’s just a question of how much (and assuming you understand the risks).
kind regards,
Lachlan Deck
Peter Petersson
Aug 7, 2015, 8:38:35 AM8/7/15
to lif...@googlegroups.com
On 08/07/2015 01:21 AM, Lachlan Deck wrote:
> Sounds good.
>
> Though, in some ways it gives an indication of ideas still to be resolved, or approached differently, moving to 3.0.
>
> What might the goal be, do you think, in terms of a sensible default for the usual webapp?
>
> LiftRules.securityRules = () => {
> SecurityRules(content = Some(ContentSecurityPolicy(
> scriptSources = List(
> ContentSourceRestriction.Self),
> styleSources = List(
> ContentSourceRestriction.Self)
> )))
> }
>
> If I understand it rightly, the defaultSecurityRules need to be intentionally relaxed. It’s just a question of how much (and assuming you understand the risks).
Yes thats correct, the defaults you list above would absolutely be a
> Sounds good.
>
> Though, in some ways it gives an indication of ideas still to be resolved, or approached differently, moving to 3.0.
>
> What might the goal be, do you think, in terms of a sensible default for the usual webapp?
>
> LiftRules.securityRules = () => {
> SecurityRules(content = Some(ContentSecurityPolicy(
> scriptSources = List(
> ContentSourceRestriction.Self),
> styleSources = List(
> ContentSourceRestriction.Self)
> )))
> }
>
> If I understand it rightly, the defaultSecurityRules need to be intentionally relaxed. It’s just a question of how much (and assuming you understand the risks).
eligible goal, but I leave that to security experts or there like to
comment on.
Unfortunately there are still a lot of apps using some inline style so
UnsafeInline on the style source would probably bee needed in many cases.
When it comes to the template apps you are working on I guess the goal
should be set for each individual template project where the apps should
be runnable without errors or CSP reports in production mode with as few
relaxations to the CSP rules as possible (without overdoing the work).
Tips One way to quick test in dev whats gonna happen in "none dev mode"
is to override the enforceInDevMode parameter for the SecurityRules.
best regards Peter Petersson
Antonio Salazar Cardozo
Aug 9, 2015, 8:22:25 PM8/9/15
to Lift
The goal is to continue to keep Lift “secure by default”, which is why the current
defaults are so restrictive. On the other hand, for upgrades things might need
relaxing.
One potential idea is to make the current default in the codebase more relaxed
(unsafe inline styles and maybe scripts), but make the app templates all have
the more restrictive default, with an eye towards changing the framework default
in one of the point releases.
Currently `enforceInDevMode` is set to false as I thought it would be easier to
deal with than breaking everything immediately… If we think it's not obvious enough
that things are failing, we can absolutely turn `enforceInDevMode` to true so that
it's immediately obvious when upgrading if things are broken.
Thanks,
Antonio
>>>>>>>>> To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+unsubscribe@googlegroups.com.
>>>>>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>>>> --
>>>>>>>> --
>>>>>>>> Lift, the simply functional web framework: http://liftweb.net
>>>>>>>> Code: http://github.com/lift
>>>>>>>> Discussion: http://groups.google.com/group/liftweb
>>>>>>>> Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code
>>>>>>>>
>>>>>>>> ---
>>>>>>>> You received this message because you are subscribed to the Google Groups "Lift" group.
>>>>>>>> To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+unsubscribe@googlegroups.com.
>>>>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>> --
>>>>> --
>>>>> Lift, the simply functional web framework: http://liftweb.net
>>>>> Code: http://github.com/lift
>>>>> Discussion: http://groups.google.com/group/liftweb
>>>>> Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code
>>>>>
>>>>> --- You received this message because you are subscribed to the Google Groups "Lift" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+unsubscribe@googlegroups.com.
>>>>> For more options, visit https://groups.google.com/d/optout.
>>>> --
>>>> --
>>>> Lift, the simply functional web framework: http://liftweb.net
>>>> Code: http://github.com/lift
>>>> Discussion: http://groups.google.com/group/liftweb
>>>> Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code
>>>>
>>>> ---
>>>> You received this message because you are subscribed to the Google Groups "Lift" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+unsubscribe@googlegroups.com.
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>>
>>>> --
>>>> --
>>>> Lift, the simply functional web framework: http://liftweb.net
>>>> Code: http://github.com/lift
>>>> Discussion: http://groups.google.com/group/liftweb
>>>> Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code
>>>>
>>>> ---
>>>> You received this message because you are subscribed to the Google Groups "Lift" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+unsubscribe@googlegroups.com.
>>>> For more options, visit https://groups.google.com/d/optout.
>> --
>> --
>> Lift, the simply functional web framework: http://liftweb.net
>> Code: http://github.com/lift
>> Discussion: http://groups.google.com/group/liftweb
>> Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code
>>
>> --- You received this message because you are subscribed to the Google Groups "Lift" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+unsubscribe@googlegroups.com.
Lachlan Deck
Aug 9, 2015, 8:31:23 PM8/9/15
to lif...@googlegroups.com
Hi Antonio,
My 2c, “Secure by default” +1
I think it’s just a question of documentation. Currently, since no docs were available (that I’m aware of) at liftweb.net on what to do for 3.0, it was not obvious what was going on. But that’s expected.
When it becomes the norm, however, and there are recipes for handling varying situations that won’t be a problem.
As for enforceInDevMode, setting it to true sounds good to me. That would avoid confusion going live, since people have made a conscious decision to adjust their dev environment in order to debug etc.
> >>>>>>>>> To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+u...@googlegroups.com.
My 2c, “Secure by default” +1
I think it’s just a question of documentation. Currently, since no docs were available (that I’m aware of) at liftweb.net on what to do for 3.0, it was not obvious what was going on. But that’s expected.
When it becomes the norm, however, and there are recipes for handling varying situations that won’t be a problem.
As for enforceInDevMode, setting it to true sounds good to me. That would avoid confusion going live, since people have made a conscious decision to adjust their dev environment in order to debug etc.
> >>>>>>>>> For more options, visit https://groups.google.com/d/optout.
> >>>>>>>> --
> >>>>>>>> --
> >>>>>>>> Lift, the simply functional web framework: http://liftweb.net
> >>>>>>>> Code: http://github.com/lift
> >>>>>>>> Discussion: http://groups.google.com/group/liftweb
> >>>>>>>> Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code
> >>>>>>>>
> >>>>>>>> ---
> >>>>>>>> You received this message because you are subscribed to the Google Groups "Lift" group.
> >>>>>>>> To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+u...@googlegroups.com.
> >>>>>>>> --
> >>>>>>>> --
> >>>>>>>> Lift, the simply functional web framework: http://liftweb.net
> >>>>>>>> Code: http://github.com/lift
> >>>>>>>> Discussion: http://groups.google.com/group/liftweb
> >>>>>>>> Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code
> >>>>>>>>
> >>>>>>>> ---
> >>>>>>>> You received this message because you are subscribed to the Google Groups "Lift" group.
> >>>>>>>> For more options, visit https://groups.google.com/d/optout.
> >>>>> --
> >>>>> --
> >>>>> Lift, the simply functional web framework: http://liftweb.net
> >>>>> Code: http://github.com/lift
> >>>>> Discussion: http://groups.google.com/group/liftweb
> >>>>> Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code
> >>>>>
> >>>>> --- You received this message because you are subscribed to the Google Groups "Lift" group.
> >>>>> To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+u...@googlegroups.com.
> >>>>> --
> >>>>> --
> >>>>> Lift, the simply functional web framework: http://liftweb.net
> >>>>> Code: http://github.com/lift
> >>>>> Discussion: http://groups.google.com/group/liftweb
> >>>>> Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code
> >>>>>
> >>>>> --- You received this message because you are subscribed to the Google Groups "Lift" group.
> >>>>> For more options, visit https://groups.google.com/d/optout.
> >>>> --
> >>>> --
> >>>> Lift, the simply functional web framework: http://liftweb.net
> >>>> Code: http://github.com/lift
> >>>> Discussion: http://groups.google.com/group/liftweb
> >>>> Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code
> >>>>
> >>>> ---
> >>>> You received this message because you are subscribed to the Google Groups "Lift" group.
> >>>> To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+u...@googlegroups.com.
> >>>> --
> >>>> --
> >>>> Lift, the simply functional web framework: http://liftweb.net
> >>>> Code: http://github.com/lift
> >>>> Discussion: http://groups.google.com/group/liftweb
> >>>> Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code
> >>>>
> >>>> ---
> >>>> You received this message because you are subscribed to the Google Groups "Lift" group.
> >>>> For more options, visit https://groups.google.com/d/optout.
> >>>>
> >>>>
> >>>> --
> >>>> --
> >>>> Lift, the simply functional web framework: http://liftweb.net
> >>>> Code: http://github.com/lift
> >>>> Discussion: http://groups.google.com/group/liftweb
> >>>> Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code
> >>>>
> >>>> ---
> >>>> You received this message because you are subscribed to the Google Groups "Lift" group.
> >>>> To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+u...@googlegroups.com.
> >>>>
> >>>>
> >>>> --
> >>>> --
> >>>> Lift, the simply functional web framework: http://liftweb.net
> >>>> Code: http://github.com/lift
> >>>> Discussion: http://groups.google.com/group/liftweb
> >>>> Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code
> >>>>
> >>>> ---
> >>>> You received this message because you are subscribed to the Google Groups "Lift" group.
> >>>> For more options, visit https://groups.google.com/d/optout.
> >> --
> >> --
> >> Lift, the simply functional web framework: http://liftweb.net
> >> Code: http://github.com/lift
> >> Discussion: http://groups.google.com/group/liftweb
> >> Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code
> >>
> >> --- You received this message because you are subscribed to the Google Groups "Lift" group.
> >> To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+u...@googlegroups.com.
> >> --
> >> --
> >> Lift, the simply functional web framework: http://liftweb.net
> >> Code: http://github.com/lift
> >> Discussion: http://groups.google.com/group/liftweb
> >> Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code
> >>
> >> --- You received this message because you are subscribed to the Google Groups "Lift" group.
> >> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> --
> Lift, the simply functional web framework: http://liftweb.net
> Code: http://github.com/lift
> Discussion: http://groups.google.com/group/liftweb
> Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code
>
> ---
> You received this message because you are subscribed to the Google Groups "Lift" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+u...@googlegroups.com.
>
>
> --
> --
> Lift, the simply functional web framework: http://liftweb.net
> Code: http://github.com/lift
> Discussion: http://groups.google.com/group/liftweb
> Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code
>
> ---
> You received this message because you are subscribed to the Google Groups "Lift" group.
Peter Petersson
Aug 10, 2015, 1:27:05 AM8/10/15
to lif...@googlegroups.com
On 08/10/2015 02:22 AM, Antonio Salazar
Cardozo wrote:
The goal is to continue to keep Lift “secure by default”, which is why the currentdefaults are so restrictive. On the other hand, for upgrades things might needrelaxing.
One potential idea is to make the current default in the codebase more relaxed(unsafe inline styles and maybe scripts), but make the app templates all havethe more restrictive default, with an eye towards changing the framework defaultin one of the point releases.
Currently `enforceInDevMode` is set to false as I thought it would be easier todeal with than breaking everything immediately… If we think it's not obvious enoughthat things are failing, we can absolutely turn `enforceInDevMode` to true so thatit's immediately obvious when upgrading if things are broken.
I am not sure switching to true by default is a good idea although
it would avoid production deployment surprises, there are pros and
cons aether way so this should probably be discussed in a new
thread.
For the 3.0 starter templates maybe a comment and a commented code line "//enforceInDevMode = true" in boot would help a bit.
For the 3.0 starter templates maybe a comment and a commented code line "//enforceInDevMode = true" in boot would help a bit.
To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+u...@googlegroups.com.
Ethan Jewett
Aug 10, 2015, 12:52:46 PM8/10/15
to lif...@googlegroups.com
I worked through figuring this out with the move to Lift 3.0 and while there could be better documentation on how and when to override the defaults, I think secure by default is fine. There are quite alarming warning messages on the JS console in dev mode, so I don't think it should be a surprise when things just don't work in production mode. My 2c.
Ethan
Thanks,
Reply all
Reply to author
Forward
0 new messages