Content Security Policy Messages

340 views
Skip to first unread message

Donald McLean

unread,
Feb 24, 2017, 11:19:07 AM2/24/17
to liftweb
Hi all,

I have updated to 3.0.1 and there are a lot of warning and error messages coming out in the console about this (see below). Has some kind of consensus been reached as to the best way to fix these? Do we have a Wiki page that talks about this?

Thanks,

Donald

Content Security Policy: The page’s settings observed the loading of a resource at self (“script-src 'unsafe-eval' http://localhost:8080”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a resource at self (“script-src 'unsafe-eval' http://localhost:8080”). A CSP report is being sent.
/aoiDev/ (line 242)
Content Security Policy: The page’s settings observed the loading of a resource at self (“script-src 'unsafe-eval' http://localhost:8080”). A CSP report is being sent.
Content Security Policy: The page’s settings observed the loading of a resource at self (“script-src 'unsafe-eval' http://localhost:8080”). A CSP report is being sent.
/aoiDev/ (line 1)
Content Security Policy: The page’s settings observed the loading of a resource at self (“script-src 'unsafe-eval' http://localhost:8080”). A CSP report is being sent.

Antonio Salazar Cardozo

unread,
Feb 24, 2017, 3:57:05 PM2/24/17
to Lift
You should try setting `LiftRules.extractInlineJavaScript = true`, which should pull
inline JS contents into a JS file that is loaded alongside the page instead.
Thanks,
Antonio

Donald McLean

unread,
Feb 24, 2017, 4:20:00 PM2/24/17
to liftweb
Hi Antonio,

That helped some, but I'm still getting:


Content Security Policy: The page’s settings observed the loading of a resource at self (“script-src 'unsafe-eval' http://localhost:8080”). A CSP report is being sent.
/aoiDev/ (line 242)
So far, I have:

LiftRules.securityRules = () => SecurityRules(content = Some(ContentSecurityPolicy(styleSources = List(Self, UnsafeInline))))
LiftRules.extractInlineJavaScript = true

--
--
Lift, the simply functional web framework: http://liftweb.net
Code: http://github.com/lift
Discussion: http://groups.google.com/group/liftweb
Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code

---
You received this message because you are subscribed to the Google Groups "Lift" group.
To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
Family photographs are a critical legacy for
ourselves and our descendants. Protect that
legacy with a digital backup and recovery plan.

Antonio Salazar Cardozo

unread,
Feb 25, 2017, 4:02:35 PM2/25/17
to Lift
It seems like you're probably appending script tags directly to the page. If that's
the case, use `S.appendJs` instead... Would probably be good for the HTML normalizer
to extract those script element contents as well in cases where inline JS extraction is
enabled. If that is indeed the issue, could you file a Gihub Issue so we can track that?

Also, it looks like for some reason the CSP report endpoint isn't properly registered. Are
you doing anything interesting with statelessDispatch?
Thanks,
Antonio

Donald McLean

unread,
Feb 26, 2017, 6:56:42 PM2/26/17
to liftweb
Thanks for your help Antonio.

It's a single page app, so you can imagine I do quite a lot of Comet updating including wholesale replacement of parts of the page. This might be a dumb question but are you saying that if I do a replacement with a piece of HTML (from a file) that has a script tag in it that this would be a security issue?

I am not aware of doing anything with statelessDispatch. The app has serious security requirements and nothing happens without proper authentication and authorization.

Antonio Salazar Cardozo

unread,
Feb 27, 2017, 8:11:16 AM2/27/17
to Lift
The security concern is allowing arbitrary inline JS to be evaluated in the browser. The
reasoning is, imagine if you disallow inline JS to be evaluated. Then imagine through
another compromise, someone manages to get a script tag on the page (say, through
an improperly sanitized content interaction). That script tag is effectively inert, because
the browser will prevent it from executing. 

You can also adjust CSP to allow unsafe inline JS content if you want:

LiftRules.securityRules = () => SecurityRules(content = Some(ContentSecurityPolicy(scriptSources = List(Self, UnsafeInline), styleSources = List(Self, UnsafeInline))))

Note that this only applies to inline JS; e.g.:

<script type="text/javascript">
here.is.some();
JS();
</script>

Not to script includes.

Additionally, note that if you're injecting new content via comet, I believe
that already automatically extracts script tags due to how jQuery and Lift
handle JS-based DOM updates that include inline scripts. If I remember
that correctly, then the only situation that should trigger this error should
be if the page at load time includes HTML with inline script tags.

I'd very much like to improve that aspect of inline JS extraction, so this is
no longer something you need to worry about if you enable that option.
Thanks,
Antonio

Donald McLean

unread,
Feb 27, 2017, 10:32:28 AM2/27/17
to liftweb
Hi Antonio,

Your explanation of the issues with inline JS make sense. Thank you for that. I am more than happy to move all that stuff to script includes.

I was looking at the output in Firebug (see below) and it appears that some of these CSP issues are being caused by Lift stuff.

Also, I would still very much appreciate a suggestion on how to fix this:
Thank you for all you help,

Donald


200 OK

 161ms
jquery-3.1.1.js (line 9536)
try { destroy_F228044653882FRVPCE(); } catch (e) {}
try{jQuery('#'+"F228044653882FRVPCE_outer").html("<div id=\"F228044653882FRVPCE\" style=\"display: inline\"><div>\u000a                <span id=\"statusContent\"><span id=\"statusContent\"> <span id=\"statusContent\">Please log in to see status.</span> </span></span>\u000a            </div></div>");}catch(e){lift.cometOnError(e);}
try { destroy_F228044653882FRVPCE = function() {}; } catch (e) {}
try { destroy_F228044653879EUPHPN(); } catch (e) {}
try{jQuery('#'+"F228044653879EUPHPN_outer").html("<div id=\"F228044653879EUPHPN\" style=\"display: inline\"><div>\u000a            <p>\u000a                <span id=\"contextChooser\"><span id=\"contextChooser\"> <p></p> </span></span>\u000a            </p>\u000a        </div></div>");}catch(e){lift.cometOnError(e);}
try { destroy_F228044653879EUPHPN = function() {}; } catch (e) {}
try { destroy_F228044653876OOZYRN(); } catch (e) {}
try{jQuery('#'+"F228044653876OOZYRN_outer").html("<div id=\"F228044653876OOZYRN\" style=\"display: inline\"><span id=\"messagingBlock\" style=\"cursor: pointer;\"><span id=\"messageTicker\"><p></p></span></span></div>"); lift.onEvent("messagingBlock","mouseup",function(event) {displayLogWindow();;});;}catch(e){lift.cometOnError(e);}
try { destroy_F228044653876OOZYRN = function() {}; } catch (e) {}
try { destroy_F228044653873NKW2RX(); } catch (e) {}
try{jQuery('#'+"F228044653873NKW2RX_outer").html("<div id=\"F228044653873NKW2RX\" style=\"display: inline\"><div id=\"logoutStuff\">\u000a            <span id=\"logoutContent\"><span id=\"logoutContent\"><p></p></span></span>\u000a        </div></div>");}catch(e){lift.cometOnError(e);}
try { destroy_F228044653873NKW2RX = function() {}; } catch (e) {}
lift.updWatch('F228044653873NKW2RX', '228044653875');
lift.updWatch('F228044653876OOZYRN', '228044653878');
lift.updWatch('F228044653879EUPHPN', '228044653881');
lift.updWatch('F228044653882FRVPCE', '228044653884');
Content Security Policy: The page’s settings observed the loading of a resource at self (“script-src 'unsafe-eval' http://localhost:8080”). A CSP report is being sent.

Antonio Salazar Cardozo

unread,
Feb 27, 2017, 2:53:43 PM2/27/17
to Lift
The 400 error on the CSP request seems like it's related to the JSON being
sent to the server. You should see an error in the Lift console, I think, as to
what issue occurred there. Might be that there's been drift between what FF
sends to the server and what we're expecting to see. 

You can see Lift's default CSP violation handler in SecurityRules.scala. It
expects certain fields and returns a 400 if it doesn't see them, and logs the
issue at WARN level so you can see what was received from the browser.
If you see a different version, you can install your own handler to deal with
the difference in format by prepending it to `statelessDispatch`.

The JS that's in that log output is all JS that should be coming from the
server as a response… It feels like it shouldn't be triggering an error, and
I can't tell from the formatting whether or not it is.
Thanks,
Antonio

Donald McLean

unread,
Feb 27, 2017, 4:00:01 PM2/27/17
to liftweb
This is what came out in the log:

2017-02-27 15:23:55,679 WARN [qtp1464642111-53] n.l.h.ContentSecurityPolicyViolation [Logging.scala:252] Got a content security violation report we couldn't interpret: 'Full({"csp-report":{"blocked-uri":"self","document-uri":"http://localhost:8080/aoiDev/","line-number":1,"original-policy":"default-src http://localhost:8080; img-src *; script-src 'unsafe-eval' http://localhost:8080; style-src http://localhost:8080 'unsafe-inline'; report-uri http://localhost:8080/aoiDev/lift/content-security-policy-report","referrer":"","script-sample":"try { destroy_F228044653882FRVPCE(); } c...","source-file":"http://localhost:8080/aoiDev/","violated-directive":"script-src 'unsafe-eval' http://localhost:8080"}})'.
2017-02-27 15:23:55,721 WARN [qtp1464642111-32] n.l.h.ContentSecurityPolicyViolation [Logging.scala:252] Got a content security violation report we couldn't interpret: 'Full({"csp-report":{"blocked-uri":"self","document-uri":"http://localhost:8080/aoiDev/","line-number":1,"original-policy":"default-src http://localhost:8080; img-src *; script-src 'unsafe-eval' http://localhost:8080; style-src http://localhost:8080 'unsafe-inline'; report-uri http://localhost:8080/aoiDev/lift/content-security-policy-report","referrer":"","script-sample":"try { destroy_F228044653882FRVPCE(); } c...","source-file":"http://localhost:8080/aoiDev/","violated-directive":"script-src 'unsafe-eval' http://localhost:8080"}})'.
2017-02-27 15:23:55,821 DEBUG [pool-2-thread-7] e.s.l.s.LoginUIModule [Login.scala:126] [Login.login] enter.
2017-02-27 15:23:56,073 WARN [qtp1464642111-24] n.l.h.ContentSecurityPolicyViolation [Logging.scala:252] Got a content security violation report we couldn't interpret: 'Full({"csp-report":{"blocked-uri":"self","document-uri":"http://localhost:8080/aoiDev/","line-number":1,"original-policy":"default-src http://localhost:8080; img-src *; script-src 'unsafe-eval' http://localhost:8080; style-src http://localhost:8080 'unsafe-inline'; report-uri http://localhost:8080/aoiDev/lift/content-security-policy-report","referrer":"","script-sample":"try { destroy_F228044653885GDBB0X(); } c...","source-file":"http://localhost:8080/aoiDev/","violated-directive":"script-src 'unsafe-eval' http://localhost:8080"}})'.
2017-02-27 15:23:56,073 WARN [qtp1464642111-51] n.l.h.ContentSecurityPolicyViolation [Logging.scala:252] Got a content security violation report we couldn't interpret: 'Full({"csp-report":{"blocked-uri":"self","document-uri":"http://localhost:8080/aoiDev/","line-number":1,"original-policy":"default-src http://localhost:8080; img-src *; script-src 'unsafe-eval' http://localhost:8080; style-src http://localhost:8080 'unsafe-inline'; report-uri http://localhost:8080/aoiDev/lift/content-security-policy-report","referrer":"","script-sample":"$(document).ready(function () {\n    fixC...","source-file":"http://localhost:8080/aoiDev/","violated-directive":"script-src 'unsafe-eval' http://localhost:8080"}})'.

I'm running Firefox 51.0.1

Antonio Salazar Cardozo

unread,
Feb 28, 2017, 7:52:48 AM2/28/17
to Lift
Hm. Weird... I would expect that to deserialize correctly, as it has all the requisite
fields. That would require deeper debugging, I think.

The CSP error here is also very weird, as it really looks like comet response material…
But perhaps jQuery evaluates response JS by injecting a script tag, in which case that
would break. That might be related to this jQuery bug, which apparently won't be fixed
before jQuery 4.0.

That's a real pain… I would add unsafe inline for the page, for now... And if you could,
file an issue for the fact that comet responses seem not to play nice with a restrictive
Content-Security-Policy. Perhaps the move here will be to finalize liftVanilla support and
ensuring liftVanilla does the right thing in these cases.
Thanks,
Antonio
Reply all
Reply to author
Forward
0 new messages