When using a content-security-policy and I try to follow a process in Chrome 41 (beta) using window.URL.createObjectURL I get an error like the following:
Refused to load plugin data from 'blob:http%3A//localhost%3A7000/f59612b8-c760-43a4-98cd-fe2a44648393' because it violates the following Content Security Policy directive: "object-src blob://*"
With a content security policy that restricts object-src or otherwise default-src one can reproduce the issue (with jQuery for convenience) like this:
blob = new Blob(
["%PDF-1.\ntrailer<</Root<</Pages<</Kids[<</MediaBox[0 0 3 3]>>]>>>>>>"],
{ type: "application/pdf" })
$("<embed>").attr("src", window.URL.createObjectURL(blob))
.appendTo(document.body)
It seems from the spec that this should work, as it does for data://*. I have tried also blob, blob:, blob:*, blob:http*, blob:http:*, blob:http://*, but to no avail.
What does work, but for apparent reasons is undesirable, is object-src *.
Has anyone had any success getting blobs to load with a content security policy? Is this a problem upstream, or have I overlooked something?
The spec compliant answer is object-src 'self' blob:
blob: should only match blob: explicitly, and not 'self' or *. This is a bug in Chrome, and was recently fixed in Firefox 40.
Related
I've come a cross a very bizarre situation where a hash is being ignored, despite it being present in the Content-Security-Policy.
This happened while installing Hotjar on our website, manually adding hashes for every inline script it uses, but obviously it can presumably happen with any dynamically inserted inline script.
In the console error message below you can see that the required hash is present, but Chrome suggests that it needs to be added...
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'nonce-llX8ZkdD3suoiNrpE9mCatplNhRYmlKw' 'self' 'sha256-HRecKxp1fRukFUlrmQh3cAVyb/pNYtdWFGJ2EL5FzdE=' 'sha256-SvLgADqEePEV9RNxBrRQXSBJafFHcVNG7cPzHz6h9eA=' 'sha256-fGP7dUodgG1o2qqo7hPGqd+2FEE7z2Z4Xg5muj+XIOQ=' 'sha256-8hoDThJonkR/uDTFl5y8ugf9U3kcHPL2sq19iPFHTds=' 'sha256-ecMh1s2mivgxX0zzJbkamgAS7kPx+1EqcHz8Uz30i78=' 'sha256-Qv05/NsT/MWFR5NB3hDHRW9iI424uc8WpuRssGdOAsU=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-S3EaMUkdpUGJFgSHH5d/29s3oD8/sutxvMfQoprfQ+g=' 'sha256-qVlOiWrAwuIfu8+uHKHkgg4qBA7YOoSm8A0yB4LfrNw=' *.hotjar.com *.typekit.net".
But the remedy is to include a hash that's already present:
Either the 'unsafe-inline' keyword, a hash ('sha256-S3EaMUkdpUGJFgSHH5d/29s3oD8/sutxvMfQoprfQ+g='), or a nonce ('nonce-...') is required to enable inline execution.
The hashes in CSP and proposed solution are identical:
And here is the complete CSP:
Content-Security-Policy: default-src *; base-uri 'self'; img-src * data:; style-src 'nonce-{$nonce}' 'self' 'sha256-HRecKxp1fRukFUlrmQh3cAVyb/pNYtdWFGJ2EL5FzdE=' 'sha256-SvLgADqEePEV9RNxBrRQXSBJafFHcVNG7cPzHz6h9eA=' 'sha256-fGP7dUodgG1o2qqo7hPGqd+2FEE7z2Z4Xg5muj+XIOQ=' 'sha256-8hoDThJonkR/uDTFl5y8ugf9U3kcHPL2sq19iPFHTds=' 'sha256-ecMh1s2mivgxX0zzJbkamgAS7kPx+1EqcHz8Uz30i78=' 'sha256-Qv05/NsT/MWFR5NB3hDHRW9iI424uc8WpuRssGdOAsU=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-S3EaMUkdpUGJFgSHH5d/29s3oD8/sutxvMfQoprfQ+g=' 'sha256-qVlOiWrAwuIfu8+uHKHkgg4qBA7YOoSm8A0yB4LfrNw=' *.hotjar.com *.typekit.net; script-src 'nonce-{$nonce}' 'self' 'sha256-A0/707MQdpfr/tR18VnYSk7JMJoUQSBURZEJa8wF6po=' 'sha256-1kpOd8fXCkigqXNekDPt+noalDB6YI+94YhtU3ETmvE=' *.hotjar.com *.googletagmanager.com *.universe.com *.google-analytics.com *.quantserve.com *.quantcount.com *.ads-twitter.com *.facebook.net analytics.twitter.com *.stripe.com polyfill.io *.queue-it.net *.amplitude.com; object-src 'none'; frame-ancestors 'self' *.queue-it.net
To replicate this all you'd have to do is install Hotjar with the above CSP.
Is this a Chrome bug or have I missed something?
Here's a screenshot for anyone interested (click to zoom in).
This issue is the same as CSP header fails with "Refused to apply inline style..." but I have already added the hash.
You have either an:
inline event handler in the tag like onclick='javascript_here', onload='js_handler()' etc.
OR
javascript-navigation like <a href='javascript:...'
Chrome calculates hashes for those but to allow this kind of inline script you need to also add unsafe-hashes token to the 'script-src'.
Note: Safari 12 does not support 'unsafe-hashes', therefore may be better to hang event handlers with addEventListener() in case of 1.
Google started throwing this message out of the blue:
"Content Security Policy of your site blocks the use of 'eval' in JavaScript"
I had no policy config'd, so to test, I tried setting my CSP to (both in the HTML and in the web.config):
<add name="Content-Security-Policy" value="default-src *; style-src 'self' 'unsafe-inline';
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://js.squareup.com/; report-uri /csp_report_parser;" />
I get nothing in the report and google won't tell me the source:
How do I find the offending code?
Thanks!
Add 'report-sample' token to the script-src directive. It should send samples of code caused the violation - 40 chars, also line number will be send (as I can see you do use violation reports feature).
In the browser console you could see the function names (green arrow) and line number (blue arrow at the printscreen below) where the violation occurred.
The results of report-sample underlined in red:
You can catch SecurityPolicyViolation event by javascript - all what going to be sent in the violation report is accessible, include line/column number.
Google started throwing this message out of the blue:
It could not be out of blue. May be the default CSP rules was activated after software upgrade or you touch the settings.
Anyway you CSP script-src 'self' 'unsafe-inline' 'unsafe-eval' allows eval-expressions, so you have somewhere another CSP issued.
in the Google chrome documentation I found that I can add content Security Policy to allow an external javascript file to work on my extension.
but I couldn't find how to add multiple ones. Is it an array of Strings?
"content_security_policy": "script-src 'self' https://example.com; object-src 'self'"
I tried to put multiple lines like that but it doesn't work. Goes error:
Refused to load the script https://example.com because it violates the following Content Security Policy directive: "script-src 'self' https://example.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
CSP policy is a single string (containing a semicolon-separated list of directives and their arguments). It applies to all extension pages.
If you need a single policy with multiple sources, you can do that. In fact, you already have that: 'self' and https://example.com are two sources.
Read about CSP in general and script-src directive, e.g. on the MDN.
Syntax
One or more sources can be allowed for the script-src policy:
Content-Security-Policy: script-src <source>;
Content-Security-Policy: script-src <source> <source>;
So you just need to space-separate them between script-src and the semicolon.
Make sure that your sources do not contain paths.
E.g. https://example.com is OK, but https://example.com/ or https://example.com/script.js are not.
If you need multiple independent policies for different pages, I'm afraid you can't do that.
I have registered a bot and was working fine till yesterday. All of a sudden my chrome browser refused to load my webchat control of MS Botframework. When i checked the console it throws me the following policies are restricting the iframe from loading url. I tried adding meta-tags but didn't helped me.
Refused to frame 'https://webchat.botframework.com/embed/DiPA_BOT?s=xxxxxxxxxxxxxxxx' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-eval' 'unsafe-inline' *.mydomain.com". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
Also this
botchat.js:34449 Refused to connect to 'https://directline.botframework.com/v3/directline/conversations' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-eval' 'unsafe-inline' *.accenture.com". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
I found the issue why chrome is refused to frame/load directline call and am posting here, may it help for someone like me.
In my server iis,In Http headers section, i saw a header as Conten-Security-Policy. After disabled it, my Bot calls works fine.
I'm trying to build a chrome app that embeds Youtube content but facing this error while using some scripts :
"Refused to load the script 'https://www.youtube.com/iframe_api' because it violates the following Content Security Policy directive: "default-src 'self' chrome-extension-resource:". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback."
I've followed the documentation as long i tried to look around the web and found out i needed to loosen the CSP. Here is my manifest.json
{
...
"permissions": ["https://*.youtube.com"],
"content_security_policy": "script-src 'self' https://*.youtube.com; object-src 'self'"
}
but i still have the same error. What am i doing wrong?
You cannot override CSP for apps. The reference you found was for extensions.
Your options are limited to <webview> embedding and sandboxing.