Content Security Policy may block Plugin functionality #4283
Comments
|
It's look like the copy of the file didn't go well: map.php:1 The Content Security Policy directive 'default-src' contains 'img-src' as a source expression. Did you mean 'default-src ...; img-src...' (note the semicolon)? St @ web_worker.js:9 |
|
Actually, it sounds like your CSP isn't correct. I'm not sure how Cacti creates that at the moment without going off to review the code, did you add any of those elements? Did they come from the return code? |
|
No I didn't change the CSP rule manually, I juste use the feature that was introduced into the genral config. |
|
What browser? Recent one? The CSP rules are changing still inside of browsers. So, new browsers may require a modification to CSP rules, though I hope not. You should go into Debug mode on the browser, and locate the header and the SCP portion of the header and take a screen shot. Paste that here. |
|
Here it is: It's on firefox 60.3.0esr (64 bits) |
|
Wrong cut/past: |
|
Damn the copy of the CSP is interpreted by GitHub, so herre is it without the header info
|
|
So, we need to extend the |
TheWitness
added
enhancement
TheWitness
changed the title
Cacti Plugin Authors need to extend $alternates support to include 'worker-src' for services like Google Map API on newer browsers
|
Commit is in. Please test. |
|
Hmm not working, but wonder if the change has to be made on blob instead of worker-src: web_worker.js:9 Uncaught DOMException: Failed to construct 'Worker': Access to the script at 'blob:http://lslcact01.lausanne.ch/439696c9-05eb-4001-af68-3d5d5896a0a6' is denied by the document's Content Security Policy. |
|
Why is it closed ? |
netniV
added
confirmed
|
Sorry, that was done from a different screen with a whole bunch of other issues as it had the resolved status. |
|
Can you edit the worker-src and report back? |
|
Well to make it workI had to add 'blob:' in the list of 'Content-Security Alternate Source' |
|
Show me your CSP string. |
netniV
changed the title
|
Sorry for the delay I was out in vacation. So here is what I have on the web page: and here is what I add on the config of Cacti "Content-Security Alternate Source" : The "blob:" should'nt be here, nut that's the solution. |
|
@arno-st, you have to be more specific. Otherwise, this will not be addressed. |
|
Hello, more specific !! Ok I will try. In normal situation you put only domain or specific web site, but to be able to allow openstreetmap to work with all th eunfctionality I need I add to include the following option: And for me blob: is a specific command (like style-src or img-src, etc), so adding a few site give me this Contend-Security-Polcy As you can see the 'blob:' is added everywhere I'm not a security expert in contend-security-policy, and I don't know if it's fine to allow a 'blob:' to be added inside the configuration or not. |
|
Seems to me you can simply add the
So, I'm not sure we need to do anything. |
TheWitness
added
not a bug
|
Going to close this one due to lack of real clear direction. If adding |
I don't have the case number, but a while ago some modification where made to allow Cacti (the browser) to access some script from outside of the local server.
A field exit under config general to list the name of the destination.
So far so good, and It work's almost in all case.
I change my plugin to display a map using mapbox GL instead of mapbox JS, and it's not working anymore.
When I access this page from outside it's working,but not inside.
I try to add a few site to the allowed list:
unpkg.com *.mapbox.com *.googleapis.com *.cloudflare.com *.gstatic.com
but still the map won't dispaly.
File attached with the output I got on the console of the browser
Any solution here ? without having to tweek the coode on every update ?
thanks
Cacti 1.2.17
The text was updated successfully, but these errors were encountered: