I have registered a bot and was working fine till yesterday. All of a sudden my chrome browser refused to load my webchat control of MS Botframework. When i checked the console it throws me the following policies are restricting the iframe from loading url. I tried adding meta-tags but didn't helped me.
Refused to frame 'https://webchat.botframework.com/embed/DiPA_BOT?s=xxxxxxxxxxxxxxxx' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-eval' 'unsafe-inline' *.mydomain.com". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
Also this
botchat.js:34449 Refused to connect to 'https://directline.botframework.com/v3/directline/conversations' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-eval' 'unsafe-inline' *.accenture.com". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
I found the issue why chrome is refused to frame/load directline call and am posting here, may it help for someone like me.
In my server iis,In Http headers section, i saw a header as Conten-Security-Policy. After disabled it, my Bot calls works fine.
Related
The website works fine on all other browsers I've tested it on.
On the Brave browser, an error occurs for line 1 of my index.html file (Which is <!DOCTYPE html>):
Refused to load the font 'data:application/font-woff...' because it violates the following Content Security Policy directive: "default-src 'self' *.favicon.cc *.google.com *.gstatic.com *.googleapis.com". Note that 'font-src' was not explicitly set, so 'default-src' is used as a fallback.
Line 6 of my index.html is this: <meta http-equiv="Content-Security-Policy" content="font-src 'self' data:; default-src 'self' data: blob: 'unsafe-inline';">.
For some reason, this error only occurs on this .co domain, but when I host the same HTML file on other TLDs (I've tested: .ml, .gq, .dev) it works with no issue, using the CSP I set in the header.
Is there any way to get Brave to use the CSP I set in the file instead of the one Brave uses?
I've tried using it as an actual HTTP header, no change.
Edit for additional context: The entire page breaks as if the CSP is set to "default-src 'self' *.favicon.cc *.google.com *.gstatic.com *.googleapis.com" and other page elements do not load properly.
It turns out it's an issue with brave's shields. Disabling them fixed it. I have reported my site to Brave's developers so they can try and fix the problem. As for my site, i've switched to a .com domain from the original .co domain, and it works fine now.
I've come a cross a very bizarre situation where a hash is being ignored, despite it being present in the Content-Security-Policy.
This happened while installing Hotjar on our website, manually adding hashes for every inline script it uses, but obviously it can presumably happen with any dynamically inserted inline script.
In the console error message below you can see that the required hash is present, but Chrome suggests that it needs to be added...
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'nonce-llX8ZkdD3suoiNrpE9mCatplNhRYmlKw' 'self' 'sha256-HRecKxp1fRukFUlrmQh3cAVyb/pNYtdWFGJ2EL5FzdE=' 'sha256-SvLgADqEePEV9RNxBrRQXSBJafFHcVNG7cPzHz6h9eA=' 'sha256-fGP7dUodgG1o2qqo7hPGqd+2FEE7z2Z4Xg5muj+XIOQ=' 'sha256-8hoDThJonkR/uDTFl5y8ugf9U3kcHPL2sq19iPFHTds=' 'sha256-ecMh1s2mivgxX0zzJbkamgAS7kPx+1EqcHz8Uz30i78=' 'sha256-Qv05/NsT/MWFR5NB3hDHRW9iI424uc8WpuRssGdOAsU=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-S3EaMUkdpUGJFgSHH5d/29s3oD8/sutxvMfQoprfQ+g=' 'sha256-qVlOiWrAwuIfu8+uHKHkgg4qBA7YOoSm8A0yB4LfrNw=' *.hotjar.com *.typekit.net".
But the remedy is to include a hash that's already present:
Either the 'unsafe-inline' keyword, a hash ('sha256-S3EaMUkdpUGJFgSHH5d/29s3oD8/sutxvMfQoprfQ+g='), or a nonce ('nonce-...') is required to enable inline execution.
The hashes in CSP and proposed solution are identical:
And here is the complete CSP:
Content-Security-Policy: default-src *; base-uri 'self'; img-src * data:; style-src 'nonce-{$nonce}' 'self' 'sha256-HRecKxp1fRukFUlrmQh3cAVyb/pNYtdWFGJ2EL5FzdE=' 'sha256-SvLgADqEePEV9RNxBrRQXSBJafFHcVNG7cPzHz6h9eA=' 'sha256-fGP7dUodgG1o2qqo7hPGqd+2FEE7z2Z4Xg5muj+XIOQ=' 'sha256-8hoDThJonkR/uDTFl5y8ugf9U3kcHPL2sq19iPFHTds=' 'sha256-ecMh1s2mivgxX0zzJbkamgAS7kPx+1EqcHz8Uz30i78=' 'sha256-Qv05/NsT/MWFR5NB3hDHRW9iI424uc8WpuRssGdOAsU=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-S3EaMUkdpUGJFgSHH5d/29s3oD8/sutxvMfQoprfQ+g=' 'sha256-qVlOiWrAwuIfu8+uHKHkgg4qBA7YOoSm8A0yB4LfrNw=' *.hotjar.com *.typekit.net; script-src 'nonce-{$nonce}' 'self' 'sha256-A0/707MQdpfr/tR18VnYSk7JMJoUQSBURZEJa8wF6po=' 'sha256-1kpOd8fXCkigqXNekDPt+noalDB6YI+94YhtU3ETmvE=' *.hotjar.com *.googletagmanager.com *.universe.com *.google-analytics.com *.quantserve.com *.quantcount.com *.ads-twitter.com *.facebook.net analytics.twitter.com *.stripe.com polyfill.io *.queue-it.net *.amplitude.com; object-src 'none'; frame-ancestors 'self' *.queue-it.net
To replicate this all you'd have to do is install Hotjar with the above CSP.
Is this a Chrome bug or have I missed something?
Here's a screenshot for anyone interested (click to zoom in).
This issue is the same as CSP header fails with "Refused to apply inline style..." but I have already added the hash.
You have either an:
inline event handler in the tag like onclick='javascript_here', onload='js_handler()' etc.
OR
javascript-navigation like <a href='javascript:...'
Chrome calculates hashes for those but to allow this kind of inline script you need to also add unsafe-hashes token to the 'script-src'.
Note: Safari 12 does not support 'unsafe-hashes', therefore may be better to hang event handlers with addEventListener() in case of 1.
Refused to frame '' because it violates the following Content Security Policy directive: "default-src *". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
I added "wkwebview" plugin for ios. But then I get this error. I don't have an iframe in my code. an iframe is automatically created. From "gap://ready".
Error:
can you help me please
Our private Jenkins server provides a Content Security Policy on the pages it serves up, and I'm trying to get it to work with the Clover HTML code coverage reports that it serves up.
The default Jenkins CSP allows 'self' for images and styles:
sandbox; default-src 'none'; img-src 'self'; style-src 'self';
'self' "allows loading resources from the same origin (same scheme, host and port)," according to content-security-policy.com.
The Clover reports include relative CSS and image links, and since they're relative, they use the same scheme, host, and port:
<link href="_css/bootstrap.min.css" rel="stylesheet" type="text/css">
In spite of this, Chrome rejects them:
Refused to load the stylesheet 'http://jnk.internal.example.com:8080/job/MyProject/lastStableBuild/cloverphp-html/_css/bootstrap.min.css' because it violates the following Content Security Policy directive: "style-src 'self'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.
Safari refuses to load them with a similar error. Firefox, however, is just fine.
Why doesn't 'self' work, when the documentation I've read makes it sound like it should? Why does Firefox work when Chrome and Safari don't?
I'm trying to build a chrome app that embeds Youtube content but facing this error while using some scripts :
"Refused to load the script 'https://www.youtube.com/iframe_api' because it violates the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback."
I've followed the documentation as long i tried to look around the web and found out i needed to loosen the CSP. Here is my manifest.json
{
...
"permissions": ["https://*.youtube.com"],
"content_security_policy": "script-src 'self' https://*.youtube.com; object-src 'self'"
}
but i still have the same error. What am i doing wrong?
You cannot override CSP for apps. The reference you found was for extensions.
Your options are limited to <webview> embedding and sandboxing.