In this webapp, I embed an external script with the app.htmlHeader property. The app runs for two years without any problems, only since today the issues causes.
Here is the Error-Log from the console:
[quote]Refused to load the stylesheet ‘http://dev.s-via.de/via/CSS/css_custom.css’ because it violates the following Content Security Policy directive: “default-src ‘self’”. Note that ‘style-src’ was not explicitly set, so ‘default-src’ is used as a fallback.
[/quote]
And this
→ This error links to the cgi-script for example to this:
Do you host the app yourself or is it hosted? As far as I understand the link from html5rocks you are loading a style sheet from somewhere which you shouldn’t do.
Is dev.s-via.de the server where you are hosting your app? if not, you would probably have to include that domain in the allowed CSP definition. At the moment it refuses to load that because only self (the server hosting your app) is allowed.
If it is your server, maybe try to change the reference to the css as a relative path instead of a full path.
Having read the references, I’m guessing that Dirk’s comment is right on the money. Have you (or your provider) pushed out any server updates recently? Specifically to httpd?
The only other thing I can think of is… Have you updated your browser recently?
You should look at your server’s web server config though. If this header has been added, you can probably mitigate while still reporting the problems to yourself by changing to a report-only mode, and direct it at your app through HandleUrl or HandleSpecialUrl:
[quote][h]Report-Only[/h]
If youre just starting out with CSP, it makes sense to evaluate the current state of your application before rolling out a draconian policy to your users. As a stepping stone to a complete deployment, you can ask the browser to monitor a policy, reporting violations, but not enforcing the restrictions. Instead of sending a Content-Security-Policy header, send a Content-Security-Policy-Report-Only header.[/quote]
That said, the Xojo web framework currently relies on a number of the capabilities which are restricted by CSP, so we’ll need to update the framework itself to support this.
it could be a DNS Problem… webservers with multiple A or CNAMEs throw any or the first name when queried. this tend to happen often when CDNs like CloudFlare are used. DNS would be my first place where to search.