I wrote a Java WebApp using Tomcat Version 9.0.69 and Wicket 9.12.0 plus Chrome Version 109.0.5414.75 for display, but CSP (Content-Security-Policy) totally messes up the display with a bunch of "Refused to [load the stylesheet/script '' | apply inline style] because it violates the following Content Security Policy directive: ...".
I tried to use HTML metas like "", it failed.
I tried to configure CSP inside Tomcat config, it failed too.
The only way right now I can see my web application properly is by using a Chrome plugin to disable CSP for the display tab.
I would like to fix this issue at the source, where is strict CSP policy defined here, Tomcat, Wicket, or Chrome?
I tried to fix CSP in HTML metas and Tomcat config, no effect.
Only disabling CSP in Chrome with a plugin worked to nullify CSP effect.
Some CSP related settings are defined in Wicket.
If you use the quickstart Maven archetype then they are in WicketApplication.java
You could disable them by replacing these lines with:
getCspSettings().blocking().disabled();
Related
My site has the Referrer-Policy header configured to "no-referrer" at the server, but I'm trying to pass referrer details ad-hoc via the referrerpolicy HTML attribute. Chrome and Firefox seem to honor the attribute when set on an individual element, but it's ignored in Safari despite Can I Use suggesting that it should be supported.
I thought this may have been due to Apple's efforts around anti-tracking, but the behavior is the same after disabling the "Prevent cross-site tracking" feature.
Safari does honor referrer-policy set at the page-level via a <meta> tag, but I'm trying to avoid that if possible. Am I doing something wrong here or am I missing anything?
Live example: https://dvdwlsn.com/so/rp/
HTML:
RP via HTML
<br>
RP via Server config
I am implementing an OpenID Connect client web application. After the user is successfully authenticated in the identity provider, they are redirected back over to my web application. Once they arrive, depending on the value of some query parameters they are redirected to a URL. When the redirection occurs Chrome throws this error in the console:
Refused to send form data to 'https://my-domain-a.com/' because it violates the following Content Security Policy directive: "form-action 'self' https://my-domain-b.com/receive-token".
After some googling I tried adding a Content-Security-Policy header as:
content-security-policy: form-action 'self' https://my-domain-a.com
This does not seem to have any affect and I still receive this message.
I have 2 questions:
How do I fix this?
Why is Chrome throwing this error off of a 301 redirect?
After much googling (and profanity) I figured out why this is happening, as well as an (ugly) fix.
During my experiments, I noticed that all Chromium browser descendants (Chromium, Chrome, and Vivaldi) had this issue. Non-Chromium browser descendants (Firefox and Safari) did not. As it turns out, the identity provider was setting a content security policy directive of: form-action 'self' https://my-domain-b.com/receive-token. Since my browser was getting redirected from the identity provider to my-domain-b.com to my-domain-a.com the Chromium descendants flagged the redirect from my-domain-b.com to my-domain-a.com as violating the content security policy set by the identity provider. I unfortunately don't know the spec well enough to say which of the 2 behaviors exhibited by the different browsers is the most correct...
I fixed this issue by doing a somewhat ugly hack. Rather than doing a 301 redirect from my-domain-b.com to my-domain-a.com, I instead had my-domain-b.com render a simple HTML page that immediately submitted to my-domain-a.com:
<html><body onload="window.location='https://my-domain-a.com?my_param=my_value'"/></html>
This solution satisfied the Chromium descendants since there was no longer a redirect to an unrecognized domain. In my case relying on Javascript is acceptable as the site the user is redirected to is an Angular app, so the user must have Javascript enabled.
My webpage.jsp is unable to view because of chrome not setting --disable-xss-auditor.
It is known that it can be solved by opening chrome.exe --disable-xss-auditor.
But are there any ways(js code or html code) that can achieve the same thing without the stated method?
Thanks.
From the documentation:
Sites may control the XSS Auditor's behavior using the
X-XSS-Protection response header, either disabling the feature or
changing its mode.
This Response header disables the Auditor:
X-XSS-Protection: 0
I was following GWT tutorial
https://developers.google.com/web-toolkit/doc/2.1/tutorial/compile
And at the last step, which was compilation, I got a problem.
When I successfully compiled the application, and when I clicked on the index html using chrome, all it showed was the static elements written inside the html file, not the dynamic contents.
However, I found it worked under safari.
I found the older version of the same tutorial
https://developers.google.com/web-toolkit/doc/1.5/tutorial/compile
which says that to test the web mode after compilation, a default browser is needed, for my Mac, it's safari.
GWT version: 2.5.1
I'm wondering why this happened?
Any solution?
Will it happen when I put it to the server?
Thanks in advance!
GWT apps (by default) can't be run from the filesystem, they must be served by an HTTP server.
The reason is that the GWT app runs in an iframe, and two file:// URLs are considered different origins (for security reasons), so the iframe cannot communicate with the host page.
Try adding <add-linker name="xsiframe"/> to your *.gwt.xml (no guarantee though)
I noticed after updating to Google Chrome (21.0.1180.89) I’m getting allot of errors in the developer tab; especially if I visit my own phpMyAdmin site.
There are all the same and are some sort of security against Cross-Site Scripting; are there anything I can do to resolve?
Unrecognized Content-Security-Policy directive 'allow'.
Unrecognized Content-Security-Policy directive 'options'.
The allow and options directives are both part of Mozilla's original definition of Content Security Policy. Chrome implements the current W3C standard, which has made several changes from Mozilla's original proposal.
allow has been replaced with default-src, and sets a default source list for the other CSP directives.
options has been replaced with 'unsafe-inline' and 'unsafe-eval' (with the single-quotes) sources on either the script-src or style-src directives.
Both of those old-style directive still work in Firefox, using the X-Content-Security-Policy header. If a website delivers a WebKit-prefixed header (X-WebKit-CSP), it should use the current standard.
Note that WebKit has implemented the unprefixed header (Content-Security-Policy) in trunk, and it should be rolling out to stable WebKit-based browsers over the next few months. If you're not already setting the canonical header, now is a good time to start thinking about it. :)
Got a similar error on Chrome v 48.0.2564.116 m
"Unrecognized Content-Security-Policy directive 'frame-ancestors'."
But working absolutely fine on IE 11, FF and safari.
This is just an warning message on chrome and there is no impact on the functionality of the site.