Paymill bridge CSP

[sebastian....@gmail.com]

Hi,
another CSP Problem i am unable to fix.

I want to embed a Paymill Bridge which is basically an iFrame loaded via JS from Paymill for debit card payments.

My lift rules look like this:

 LiftRules.securityRules = () => { SecurityRules(
      content = Some(ContentSecurityPolicy(
        defaultSources = List(
          ContentSourceRestriction.Self,
          ContentSourceRestriction.Host("https://bridge.paymill.de"),
          UnsafeInline
        ),
        scriptSources = List(
          ContentSourceRestriction.Self,
          ContentSourceRestriction.Host("https://bridge.paymill.de"),
          ContentSourceRestriction.Host("https://bridge.paymill.com"),
          UnsafeInline
        ),
        styleSources = List(
          ContentSourceRestriction.Self,
          ContentSourceRestriction.Host("https://bridge.paymill.de"),
          ContentSourceRestriction.Host("https://bridge.paymill.com"),
          ContentSourceRestriction.Host("https://fonts.googleapis.com"),
          ContentSourceRestriction.Host("http://fonts.googleapis.com"),
          UnsafeInline
        ),
        fontSources = List (
          ContentSourceRestriction.Self,
          ContentSourceRestriction.Host("https://bridge.paymill.de"),
          ContentSourceRestriction.Host("https://bridge.paymill.com"),
          ContentSourceRestriction.Host("https://fonts.googleapis.com"),
          ContentSourceRestriction.Host("https://fonts.gstatic.com"),
          UnsafeInline
        )
      ))
    )

But now i get an CSP for fobo/jquery....


{"csp-report":{"blocked-uri":"self","document-uri":"http://localhost:8080/company","line-number":343,"original-policy":"default-src http://localhost:8080 https://bridge.paymill.de 'unsafe-inline'; font-src http://localhost:8080 https://bridge.paymill.de https://bridge.paymill.com https://fonts.googleapis.com https://fonts.gstatic.com 'unsafe-inline'; img-src *; script-src http://localhost:8080 https://bridge.paymill.de https://bridge.paymill.com 'unsafe-inline'; style-src http://localhost:8080 https://bridge.paymill.de https://bridge.paymill.com https://fonts.googleapis.com http://fonts.googleapis.com 'unsafe-inline'; report-uri http://localhost:8080/lift/content-security-policy-report","referrer":"http://localhost:8080/","script-sample":"call to eval() or related function blocked by CSP","source-file":"http://localhost:8080/classpath/fobo/jquery.js","violated-directive":"script-src http://localhost:8080 https://bridge.paymill.de https://bridge.paymill.com 'unsafe-inline'"}}

The interesting part seems to be:

referrer

	"http://localhost:8080/"
	script-sample	"call to eval() or related function blocked by CSP"
	source-file	"http://localhost:8080/classpath/fobo/jquery.js"



How do i get rid of that?
This CSP stuff is rather annoying :(




[Peter Petersson]

It seem like the jquery version you are using have some offending code, I would try to see if it goes away by upgrading (or downgrading) the jquery version and as you are using FoBo and FoBo supports several jquery versions simultaneously, that would simply be to change the version string in Lift Boot (Boot.scala) 

FoBo.Toolkit.Init=FoBo.Toolkit.JQuery[XYZ version]

restart your app and check if it CSP issue has been resolved

best regards Peter Petersson

--
--
Lift, the simply functional web framework: http://liftweb.net
Code: http://github.com/lift
Discussion: http://groups.google.com/group/liftweb
Stuck? Help us help you: https://www.assembla.com/wiki/show/liftweb/Posting_example_code

---
You received this message because you are subscribed to the Google Groups "Lift" group.
To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Antonio Salazar Cardozo]

Otherwise, you can add UnsafeEval to your script sources, though that's less

than ideal if avoidable.

Thanks,

Antonio

To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+unsubscribe@googlegroups.com.

[sebastian....@gmail.com]

Hi,
well the i actually forgot to have a look at the jquery Version which was at the default 224.
Changing that to 310 did help.
Maybe if would be possible to change that in the default bs project?
And by the way why does liftweb.net still say Lift 3.0-RC3 under latest happenings?

Anyways thanks a lot :)
Sebastian

Antonio

To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+u...@googlegroups.com.

[Peter Petersson]

Yes as BS 3.3.7 now supports jquery 3 it would be a good idea,  thanks I will look in to it 

Best regards Peter Petersson 

To unsubscribe from this group and stop receiving emails from it, send an email to liftweb+unsubscribe@googlegroups.com.