HELP!!! Content-Security-Policy

Targets Web
1

Hi,

since today, I cannot launch one of my webapps.

In this webapp, I embed an external script with the app.htmlHeader property. The app runs for two years without any problems, only since today the issues causes.

Here is the Error-Log from the console:

[quote]Refused to load the stylesheet ‘http://dev.s-via.de/via/CSS/css_custom.css’ because it violates the following Content Security Policy directive: “default-src ‘self’”. Note that ‘style-src’ was not explicitly set, so ‘default-src’ is used as a fallback.
[/quote]

And this

→ This error links to the cgi-script for example to this:

<body style="margin: 0px;" onload="Xojo.begin('E835FD53E39536C140029B2F2C8C973C')" onorientationchange="Xojo.view.sizing.rotated()">

or this

<p style="margin-top: 0px;">This application has encountered an error and cannot continue.</p>
2

Have you googled the problem? See http://www.html5rocks.com/en/tutorials/security/content-security-policy/ for instance.

3

yes, but I don’t understand why this happens right now? I did no changes on the app and the server…

4
  1. You were lucky before.
  2. The wind direction has changed.
  3. Fastnacht is over.

Do you host the app yourself or is it hosted? As far as I understand the link from html5rocks you are loading a style sheet from somewhere which you shouldn’t do.

5
      1. This is no answer :smiley: - there must be a reason!

Yes I’m hosting my app by my own.

The link describes not so much.

It’s true, I do load external resources (CSS and JS scripts), but the error occurs also on xojo internal code lines (like in my example above).

So this error couldn’t cohere with the same-origin-policy, becaouse it’s the same origin as the app.

6

Might it be that your hosting provider changed the apache settings?
For instance by including something like this:
https://github.com/h5bp/server-configs-apache/blob/master/src/security/content-security-policy.conf

Is dev.s-via.de the server where you are hosting your app? if not, you would probably have to include that domain in the allowed CSP definition. At the moment it refuses to load that because only self (the server hosting your app) is allowed.
If it is your server, maybe try to change the reference to the css as a relative path instead of a full path.

7

Having read the references, I’m guessing that Dirk’s comment is right on the money. Have you (or your provider) pushed out any server updates recently? Specifically to httpd?

The only other thing I can think of is… Have you updated your browser recently?

You should look at your server’s web server config though. If this header has been added, you can probably mitigate while still reporting the problems to yourself by changing to a report-only mode, and direct it at your app through HandleUrl or HandleSpecialUrl:

[quote][h]Report-Only[/h]

If you’re just starting out with CSP, it makes sense to evaluate the current state of your application before rolling out a draconian policy to your users. As a stepping stone to a complete deployment, you can ask the browser to monitor a policy, reporting violations, but not enforcing the restrictions. Instead of sending a Content-Security-Policy header, send a Content-Security-Policy-Report-Only header.[/quote]

That said, the Xojo web framework currently relies on a number of the capabilities which are restricted by CSP, so we’ll need to update the framework itself to support this.

8

it could be a DNS Problem… webservers with multiple A or CNAMEs throw any or the first name when queried. this tend to happen often when CDNs like CloudFlare are used. DNS would be my first place where to search.

9

I solved the problem by reverting the server to a backup.
The source of the issue is still unknown. strange.

Thanks for your help!