I am trying to implement Single Sign Out using idsvr 3, I have two client apps (a MVC 5 and an asp.net core) both registered as clients and logging in works perfect
MVC 5 - Client A Asp.NET core - Client B
When both apps are logged in and i click on the log out link on Client B , Client A is logged out successfully. But on vice versa (Logging out of Client A first) Client B is not logged out. On checking on the browser's (Chrome Version 56.0.2924.87) console i get the following error
Refused to frame
'https:/client_B/myDomain/Signout_oidc/?sid=2adc40bd3ae432a81671118b09a'
because it violates the following Content Security Policy directive:
"frame-src 'self' https:/client_B.myDomain https:/client_A.myDomain".
How can I resolve this?
Try to add below code to your IdentityServerOptions instance.
CspOptions = new CspOptions
{
FrameSrc = "*"
}
More information how to configure CSP in IdvSrv3 in the documentation:
IdentityServer3 > CSP
IdentityServer Options
Thanks #Damian, I found where the issue was.
Issue was with client A URL, it had an underscore () character in it. In some way that violated a CSP rule or something else. Removing the '' character in the url solved the problem.
Related
I am currently using the FLASK developer HTTP server, and I am trying to build a local service (run on localhost) that serves files for a remote visualization website.
Here is the code for the python side
#app.route('/task/<path:path>', methods=['GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'CONNECT', 'OPTIONS', 'TRACE', 'PATCH'])
def static_file1(path):
p = "./task/" + path
return flask.send_file(p, conditional=True)
For safari, it just works like a charm.
As this screenshot indicates, flask development http server can serve files partially.
However, it didn't work for firefox for one request but not for the other.
And here are the headers for the first failed request
Successful request header
So I do believe the CORS header (Access-Control-Allow-Origin) is set correctly, otherwise the second request would fail.
Then what did I do incorrectly?
Second part:
It also doesn't work in Chrome, both requests failed, but I found the article below explaining new security features:
https://developer.chrome.com/blog/private-network-access-preflight/#:~:text=%23%20What%20is%20Private%20Network%20Access,to%20make%20private%20network%20requests.
But even with "Access-Control-Allow-Private-Network" set to "true" (See screenshot above), both requests still failed in chrome. And error msg:
Access to XMLHttpRequest at 'http://localhost:10981/task/a5c8616777d000499ff0cd5dbb02c957/datahub.json' from origin 'https://somepublic.website' has been blocked by CORS policy: The request client is not a secure context and the resource is in more-private address space `local`.
Any suggestion would be helpful!
Thanks!
Update 1:
After enabling ad-hoc SSL context (unsigned certificate) on the flask side, and using https on both localhost and "the public website", and changing the "#allow-insecure-localhost" flag in chrome to true, it works in chrome now. But still doesn't in firefox.
If you check the specification you will see that it is a "Draft Community Group Report" and
This specification was published by the Web Platform Incubator Community Group. It is not a W3C Standard nor is it on the W3C Standards Track.
The contribute list is made up entirely of people working for Google.
I can't find any mention of it in Firefox's bug tracker.
It looks like this is a highly experimental specification, which Firefox simple doesn't implement.
There doesn't appear to be any way to persuade Firefox to provide access from a secure, public Oritin to an insecure private origin.
I keep on getting this error the moment I enabled error messaging in Django. I research about it. This binance thingy is about bitcoin and it is not related to what I'm doing.
Is this an attack that's trying to check/access my Django Web app?
Invalid HTTP_HOST header: 'api.binance.com'. You may need to add 'api.binance.com' to ALLOWED_HOSTS.
Report at /api/v1/time
Invalid HTTP_HOST header: 'api.binance.com'. You may need to add 'api.binance.com' to ALLOWED_HOSTS.
Request Method: GET
I check the api.binance.com. It is like an api and it says "ok"
What's your thought about this?
This is issue just means that external device on the internet is trying to connect on Django however since the the URL " api.binance.com" is not on the allowed list on Django settings.
It is giving error only when you enable the debugging to sent on your email.
What am I doing ?
I wrote a script that runs every 1 second and sends a POST request with some data to a server which is running locally. Since the page that I am trying this on has some response headers attached to it (CSP headers). Therefore, the request is unable to proceed to CSP policy in chrome.
Here is the error I get
Refused to connect to 'https://domain.in/api/users' because it
violates the following Content Security Policy directive: "connect-src
'self' https://.whatsapp.net https://www.facebook.com
https://.giphy.com https://.tenor.co blob:
https://crashlogs.whatsapp.net/wa_clb_data
https://crashlogs.whatsapp.net/wa_fls_upload_check
https://www.bingapis.com/api/v6/images/search
https://.google-analytics.com wss://*.web.whatsapp.com
wss://web.whatsapp.com https://dyn.web.whatsapp.com"
What I want ?
Since I am just testing few things, I can bear an insecure environment by disabling the CSP in chrome. So please tell me how to do that ?
What have I tried/read so far ?
I have tried searching for this online and even some of the questions on SO but none of them gave a satisfying and completely working example. Some have suggested using this plugin but I can't see it working in my case.
Please suggest all that you can.
Using the Disable CSP plugin actually works but it fails sometimes. This may be because the server sends the CSP header as soon as the connection between the client and server completes. I needed to toggle this plugin just before that for it to work.
That is how I got it working.
I am trying to get user photos out of Microsoft Exchange using the GetUserPhoto REST request documented here: https://msdn.microsoft.com/en-us/library/office/jj190905%28v=exchg.150%29.aspx?f=255&MSPPError=-2147217396
My problem is no matter what I do the connection gets closed automatically and it can't authenticate using NTLM. Microsoft even provides code but when you run this in a IIS web application even if it is using an application pool running as a domain user, it never can authenticate.
This is my current code that isn't working:
request = System.Net.WebRequest.Create($"https://{Settings.ExchangeServer}/ews/exchange.asmx/s/GetUserPhoto?email={primarySmtpAddress}&size=HR240x240") as System.Net.HttpWebRequest;
request.ServerCertificateValidationCallback = delegate { return true; };
request.UseDefaultCredentials = true;
resp = request.GetResponse() as System.Net.HttpWebResponse;
Now I can put this in a console application and run it and then it works. But in IIS it just won't work at all. I've even tried RestSharp with no luck.
Sounds like a delegation issue eg the credentials your impersonating can only be used to access resources local to the IIS server they are being impersonated on. For you to access Exchange you need to have delegation configured correctly see https://blogs.msdn.microsoft.com/emeamsgdev/2012/11/05/ews-from-a-web-application-using-windows-authentication-and-impersonation/
The problem was it wasn't trying to connect with TLS 1.2. Once it clicked in my head, the error message was saying the connection closed and not actually returning a 401. I user ServiceManager to set it to TLS1.2 and then it started working.
Glen Scales help point me in the right direction though to troubleshoot it further.
My app successfully integrates the Google Maps JS API/Google Places API Web Service to create a few Autocomplete dropdowns. I have my google api browser key set up so development (localhost), staging, and production urls work. However, on any page this service is utilized, acceptance tests (using 127.0.0.1) break. For example:
Capybara::Poltergeist::JavascriptError:
One or more errors were raised in the Javascript code on the page. If you don't care about these errors, you can ignore them by setting js_errors: false in your Poltergeist configuration (see documentation for details).
Google Maps API error: RefererNotAllowedMapError https://developers.google.com/maps/documentation/javascript/error-messages#referer-not-allowed-map-error
Your site URL to be authorized: http://127.0.0.1:52724/clients/3
Google Maps API error: RefererNotAllowedMapError https://developers.google.com/maps/documentation/javascript/error-messages#referer-not-allowed-map-error
Your site URL to be authorized: http://127.0.0.1:52724/clients/3
at https://maps.googleapis.com/maps/api/js?v=3.exp&key=(my_browser_key)&signed_in=true&libraries=places:34 in hb
I've tried adding different 127.0.0.1 configurations into my Browser Key credentials that haven't worked, such as:
http://127.0.0.1:* , */127* , and */127.0.0.1:\d\d\d\d\d/*
That last one looks funny because every new run of my test suite generates 5 random digits after 127.0.0.1:, as seen in the error above.
*I don't want to ignore JS errors by changing my poltergeist config as mentioned in the error. With that said, I am NOT actually using the service on any of these acceptance tests. I don't want to test google functionality, I want to test the custom functionality surrounding these dropdowns.
Was able to circumnavigate this by setting the app_host and server_port directly into my Capybara config. Thanks to the accepted answer here. I added this to my spec_helper file:
def set_host(host)
default_url_options[:host] = host
Capybara.app_host = "http://" + host
end
RSpec.configure do |config|
config.before(:each) do
Capybara.current_driver = :poltergeist
Capybara.javascript_driver = :poltergeist
set_host("127.0.0.1:30111")
Capybara.server_port = 30111
end
end
Then I specified this exact server_port in my Google API key credentials. Acceptance tests now pass.
UPDATE:
It seems that Google's instructions are just out of date and incomplete (sigh). After more experimentation, simply 127.0.0.1 without any * or / does the job.
The above solution works as well.