PDA

View Full Version : [CLOSED] enabling Content-Security-Policy causes errors in loading scripts



RCM
Mar 02, 2017, 5:39 PM
I am gettying the following errors when chrome tries to load/evaluate the ext dynamic javascript files.

Refused to apply inline style because it violates the following Content Security Policy directive: "default-src https: http:". Either the 'unsafe-inline' keyword, a hash ('sha256-cUtUA2GBdi4dtncTW7Pr5W2p1T9OmZosgcgFNgCzPx0='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

init @ WebResource.axd?d=L0mxpAjwYlGvMJDaFVU-6ixI4xFFQOHpU_QE6HPajUhxndKhBxEIdqifio1RHHYttc2qUU mRGjss9QemY…:18
fireDocReady @ WebResource.axd?d=L0mxpAjwYlGvMJDaFVU-6ixI4xFFQOHpU_QE6HPajUhxndKhBxEIdqifio1RHHYttc2qUU mRGjss9QemY…:18
onReadyEvent @ WebResource.axd?d=L0mxpAjwYlGvMJDaFVU-6ixI4xFFQOHpU_QE6HPajUhxndKhBxEIdqifio1RHHYttc2qUU mRGjss9QemY…:18


Refused to apply inline style because it violates the following Content Security Policy directive: "default-src https: http:". Either the 'unsafe-inline' keyword, a hash ('sha256-fFRHI5PNmrz9bPtAXUqdfDkfYAkipB2P2SyE1YJJrZc='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

init @ WebResource.axd?d=L0mxpAjwYlGvMJDaFVU-6ixI4xFFQOHpU_QE6HPajUhxndKhBxEIdqifio1RHHYttc2qUU mRGjss9QemY…:18
fireDocReady @ WebResource.axd?d=L0mxpAjwYlGvMJDaFVU-6ixI4xFFQOHpU_QE6HPajUhxndKhBxEIdqifio1RHHYttc2qUU mRGjss9QemY…:18
onReadyEvent @ WebResource.axd?d=L0mxpAjwYlGvMJDaFVU-6ixI4xFFQOHpU_QE6HPajUhxndKhBxEIdqifio1RHHYttc2qUU mRGjss9QemY…:18


Do I need to able safe in-script in the CSP or do you know of any other way to get pass this issue?

fabricio.murta
Mar 02, 2017, 8:27 PM
Hello @RCM!

According to this website: https://content-security-policy.com/

This directive is not fully supported by all major current browsers, although IE11 is in the verge of deprecation. So we can't just enforce this in Ext.NET by default.

If you are manually enabling this mechanism in your website you should also allow the scripts to load. The website above shows examples on how to set up a website to work with this technology and specify which addresses it is allowed to load scripts from.

You should follow the error messages you are getting and add exceptions for the path of the Ext.NET dynamic scripts so that they can load. Probably an exception for the WebResource.axd and ext.axd should do.

Hope this helps!

EDIT: just for the record, the best literature for this concept is probably here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

fabricio.murta
Mar 24, 2017, 3:53 PM
Hello @RCM!

It's been some days since we last replied your inquiry and no feedback from you until now. Do you still need help with this issue?

If you don't reply in 7+ days, we may be marking this thread as closed -- but you will still be able to post here at any time.