Content security policy report
75 views
Skip to first unread message
Donald McLean
Mar 27, 2017, 1:51:18 PM3/27/17
to liftweb
I am having trouble with one of the pages in my app and I could
desperately use some advice as to what the problem is and how to fix
it.
I'm getting this in the JavaScript console:
tables.css (line 36, col 8)
"NetworkError: 400 Bad Request -
http://localhost:8080/aoiDev/lift/content-security-policy-report"
content...-report
Synchronous XMLHttpRequest on the main thread is deprecated because of
its detrimental effects to the end user’s experience. For more help
http://xhr.spec.whatwg.org/
jquery-2.1.3.js (line 8556, col 4)
Content Security Policy: The page’s settings observed the loading of a
resource at self (“script-src http://localhost:8080 'unsafe-inline'”).
A CSP report is being sent. Source: call to eval() or related function
blocked by CSP.
call to eval() or related function blocked by CSP
And I got this in the log on the server side:
2017-03-27 13:12:42,979 WARN [qtp804581391-21]
n.l.h.ContentSecurityPolicyViolation [Logging.scala:252] Got a content
security violation report we couldn't interpret:
'Full({"csp-report":{"blocked-uri":"self","document-uri":"http://localhost:8080/aoiDev/displayData.html?mode=log&noContext=true","line-number":328,"original-policy":"default-src
http://localhost:8080; img-src *; script-src http://localhost:8080
'unsafe-inline'; style-src http://localhost:8080 'unsafe-inline';
report-uri http://localhost:8080/aoiDev/lift/content-security-policy-report","referrer":"http://localhost:8080/aoiDev/","script-sample":"call
to eval() or related function blocked by
CSP","source-file":"http://localhost:8080/aoiDev/jquery-2.1.3.js","violated-directive":"script-src
http://localhost:8080 'unsafe-inline'"}})'.
Thank you,
Donald
desperately use some advice as to what the problem is and how to fix
it.
I'm getting this in the JavaScript console:
tables.css (line 36, col 8)
"NetworkError: 400 Bad Request -
http://localhost:8080/aoiDev/lift/content-security-policy-report"
content...-report
Synchronous XMLHttpRequest on the main thread is deprecated because of
its detrimental effects to the end user’s experience. For more help
http://xhr.spec.whatwg.org/
jquery-2.1.3.js (line 8556, col 4)
Content Security Policy: The page’s settings observed the loading of a
resource at self (“script-src http://localhost:8080 'unsafe-inline'”).
A CSP report is being sent. Source: call to eval() or related function
blocked by CSP.
call to eval() or related function blocked by CSP
And I got this in the log on the server side:
2017-03-27 13:12:42,979 WARN [qtp804581391-21]
n.l.h.ContentSecurityPolicyViolation [Logging.scala:252] Got a content
security violation report we couldn't interpret:
'Full({"csp-report":{"blocked-uri":"self","document-uri":"http://localhost:8080/aoiDev/displayData.html?mode=log&noContext=true","line-number":328,"original-policy":"default-src
http://localhost:8080; img-src *; script-src http://localhost:8080
'unsafe-inline'; style-src http://localhost:8080 'unsafe-inline';
report-uri http://localhost:8080/aoiDev/lift/content-security-policy-report","referrer":"http://localhost:8080/aoiDev/","script-sample":"call
to eval() or related function blocked by
CSP","source-file":"http://localhost:8080/aoiDev/jquery-2.1.3.js","violated-directive":"script-src
http://localhost:8080 'unsafe-inline'"}})'.
Thank you,
Donald
Antonio Salazar Cardozo
Mar 27, 2017, 2:13:30 PM3/27/17
to Lift
Interesting. Do you have your own custom violation handler, or are you using the
one Lift comes with out of the box? It seems like the default one should be able to
parse that JSON string, but perhaps something is awry for some reason.
As to the underlying motivation, it looks like a jQuery callback tried to run `eval`
on the content of a script. I believe this happens when you run AJAX callbacks,
in which case you'll need to allow unsafe-inline JS execution. In the near future,
I'd like to see what we can do to use some of the more advanced CSP features
to allow AJAX callbacks to work correctly without requiring unsafe-inline, but I'm
not sure if that's feasible yet.
Another option is having AJAX callbacks only return JSON, and using client-side
code to parse the JSON and take action based on it.
Thanks,
Antonio
Donald McLean
Mar 27, 2017, 2:29:12 PM3/27/17
to liftweb
We had a conversation about this a few weeks ago and I added this to boot:
LiftRules.securityRules = () => SecurityRules(content =
Some(ContentSecurityPolicy(scriptSources = List(Self, UnsafeInline),
styleSources = List(Self, UnsafeInline))))
LiftRules.extractInlineJavaScript = true
But that doesn't seem to be helping.
Or is there something I missed?
Thanks,
Donald
> --
> --
> Lift, the simply functional web framework: http://liftweb.net
> Code: http://github.com/lift
> Discussion: http://groups.google.com/group/liftweb
> Stuck? Help us help you:
> https://www.assembla.com/wiki/show/liftweb/Posting_example_code
>
> ---
> You received this message because you are subscribed to the Google Groups
> "Lift" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to liftweb+u...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Family photographs are a critical legacy for
ourselves and our descendants. Protect that
legacy with a digital backup and recovery plan.
LiftRules.securityRules = () => SecurityRules(content =
Some(ContentSecurityPolicy(scriptSources = List(Self, UnsafeInline),
styleSources = List(Self, UnsafeInline))))
LiftRules.extractInlineJavaScript = true
But that doesn't seem to be helping.
Or is there something I missed?
Thanks,
Donald
> --
> Lift, the simply functional web framework: http://liftweb.net
> Code: http://github.com/lift
> Discussion: http://groups.google.com/group/liftweb
> Stuck? Help us help you:
> https://www.assembla.com/wiki/show/liftweb/Posting_example_code
>
> ---
> You received this message because you are subscribed to the Google Groups
> "Lift" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to liftweb+u...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Family photographs are a critical legacy for
ourselves and our descendants. Protect that
legacy with a digital backup and recovery plan.
Antonio Salazar Cardozo
Mar 27, 2017, 2:54:25 PM3/27/17
to Lift
Ah, ok. You'll need to add `UnsafeEval` to the `scriptSources` as well. Sorry, I
forgot that unsafe inline and unsafe eval are separate flags.
Thanks,
Antonio
> email to liftweb+unsubscribe@googlegroups.com.
Donald McLean
Mar 27, 2017, 3:29:04 PM3/27/17
to liftweb
Hi Antonio,
So I now have:
LiftRules.securityRules = () => SecurityRules(content =
Some(ContentSecurityPolicy(scriptSources = List(Self, UnsafeInline,
UnsafeEval), styleSources = List(Self, UnsafeInline))))
But I'm still getting the error shown below. When the page first
loaded, I got a similar error, and none of the usual Comet requests
showed up. I reloaded the page and they showed up in the Firebug
console, but without the eval, the page just doesn't work correctly.
Thanks,
Donald
GET http://localhost:8080/aoiDev/lift/comet/689688763...0261998994520RACSL=1026199899454&_=1490642571372
200 OK
276ms
jquery-2.1.3.js (line 8625)
ParamsHeadersResponseCookies
try { destroy_F10261998994520RACSL(); } catch (e) {}
try{var updates = [["<input type=\"checkbox\"/>", "test 1",
"Acknowledged", "UNKNOWN", "2017-03-08T19:35:53",
"2017-03-08T19:35:53", "A high priority message was posted on the
bulletin board \u0027tst_monitor\u0027.", "101", "ack", "1"]
]
;
var adds = []
;
logTable.processAddsUpdates(adds, updates);}catch(e){lift.cometOnError(e);}
try { destroy_F10261998994520RACSL = function() {}; } catch (e) {}
lift.updWatch('F10261998994520RACSL', '1026199899499');
"NetworkError: 400 Bad Request -
http://localhost:8080/aoiDev/lift/content-security-policy-report"
content...-report
So I now have:
LiftRules.securityRules = () => SecurityRules(content =
UnsafeEval), styleSources = List(Self, UnsafeInline))))
But I'm still getting the error shown below. When the page first
loaded, I got a similar error, and none of the usual Comet requests
showed up. I reloaded the page and they showed up in the Firebug
console, but without the eval, the page just doesn't work correctly.
Thanks,
Donald
GET http://localhost:8080/aoiDev/lift/comet/689688763...0261998994520RACSL=1026199899454&_=1490642571372
200 OK
276ms
jquery-2.1.3.js (line 8625)
ParamsHeadersResponseCookies
try { destroy_F10261998994520RACSL(); } catch (e) {}
try{var updates = [["<input type=\"checkbox\"/>", "test 1",
"Acknowledged", "UNKNOWN", "2017-03-08T19:35:53",
"2017-03-08T19:35:53", "A high priority message was posted on the
bulletin board \u0027tst_monitor\u0027.", "101", "ack", "1"]
]
;
var adds = []
;
logTable.processAddsUpdates(adds, updates);}catch(e){lift.cometOnError(e);}
try { destroy_F10261998994520RACSL = function() {}; } catch (e) {}
lift.updWatch('F10261998994520RACSL', '1026199899499');
"NetworkError: 400 Bad Request -
http://localhost:8080/aoiDev/lift/content-security-policy-report"
content...-report
Content Security Policy: The page’s settings observed the loading of a
resource at self (“script-src http://localhost:8080 'unsafe-inline'”).
A CSP report is being sent. Source: call to eval() or related function
blocked by CSP.
call to eval() or related function blocked by CSP
On Mon, Mar 27, 2017 at 2:54 PM, Antonio Salazar Cardozo
resource at self (“script-src http://localhost:8080 'unsafe-inline'”).
A CSP report is being sent. Source: call to eval() or related function
blocked by CSP.
call to eval() or related function blocked by CSP
Donald McLean
Mar 27, 2017, 5:42:10 PM3/27/17
to liftweb
So I replaced LiftRules.contentSecurityPolicyViolationReport with a
method that does nothing. I know, not a good practice, but it did
clear the error out, and left me scratching my head because that
didn't fix the problems. So I dug deeper and found a stupid bug in
some of my JavaScript. Not helped by the fact that the Firebug console
isn't showing any of the console log output, and I had to use Chrome
to see what was going on.
Thank you for your help, Antonio.
And just to really annoy me, after I fixed my bug, the content
security policy issue went away. So I'm wondering if it was some kind
of side effect of the exception my bug was causing.
method that does nothing. I know, not a good practice, but it did
clear the error out, and left me scratching my head because that
didn't fix the problems. So I dug deeper and found a stupid bug in
some of my JavaScript. Not helped by the fact that the Firebug console
isn't showing any of the console log output, and I had to use Chrome
to see what was going on.
Thank you for your help, Antonio.
And just to really annoy me, after I fixed my bug, the content
security policy issue went away. So I'm wondering if it was some kind
of side effect of the exception my bug was causing.
Tim Nelson
Mar 28, 2017, 5:49:34 AM3/28/17
to Lift
Donald,
FWIW, I'm pretty sure I've seen that "NetworkError: 400 Bad Request" error being thrown when there was some other problem.
Tim
Antonio Salazar Cardozo
Mar 29, 2017, 8:00:46 AM3/29/17
to Lift
Hmmm… This is notable. That path should only occur when we get a CSP issue
though. Also, it's correct that neutralizing the violation report request handler won't
do anything to fix any such issue---it's the browser blocking things based on CSP
policy. The call to the violation report handler is just to inform the server that this
has occurred, whether it succeeds or not has no effect on whether or not the browser
blocks the relevant behavior.
Thanks,
Antonio
Reply all
Reply to author
Forward
0 new messages