Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Content Security Policy for P2 embedded content #2067

Closed
systemed opened this issue Nov 19, 2018 · 4 comments
Closed

Content Security Policy for P2 embedded content #2067

systemed opened this issue Nov 19, 2018 · 4 comments

Comments

@systemed
Copy link
Contributor

Opening P2 in Safari 12 currently borks with these errors in the console:

[Error] Refused to connect to https://osmlab.github.io/crossdomain.xml because it does not appear in the connect-src directive of the Content Security Policy.
[Error] Failed to load resource: Blocked by Content Security Policy. (crossdomain.xml, line 0)
[Error] Refused to connect to https://gravitystorm.dev.openstreetmap.org/cnxc-snapshot/crossdomain.xml because it does not appear in the connect-src directive of the Content Security Policy.
[Error] Failed to load resource: Blocked by Content Security Policy. (crossdomain.xml, line 0)
[Error] Refused to connect to https://fpdownload.adobe.com/pub/swz/crossdomain.xml because it does not appear in the connect-src directive of the Content Security Policy.
[Error] Failed to load resource: Blocked by Content Security Policy. (crossdomain.xml, line 0)
[Error] Refused to connect to https://fpdownload.adobe.com/pub/swz/crossdomain.xml because it does not appear in the connect-src directive of the Content Security Policy.
[Error] Failed to load resource: Blocked by Content Security Policy. (crossdomain.xml, line 0)

gravitystorm.dev.openstreetmap.org/cnxc-snapshot/ is currently erroring anyway (and fairly ancient history) so I should probably remove it, but the others are more important, particularly the imagery index. Is this something that could be added to the CSP for osm.org?
@tomhughes
Copy link
Member

I suspect this is Safari being weird/different because it works fine in Firefox.

I think that in Firefox everything flash does is matched against the object_src rule because it doesn't really know what a plugin is planning to use the resource for but maybe Safari is matching against connect_src instead?

@systemed
Copy link
Contributor Author

It's fine in Safari 10 too (and I think it was in 11, but don't recall). I haven't found any relevant, Flash-specific bug reports for Safari 12.

@tomhughes
Copy link
Member

Confirmed that firefox is matching that against object_src as a I get the same errors if I restrict that.

@tomhughes
Copy link
Member

By the way lots of the imagery is trying to load over http and being rejected because Firefox can't tell it's passive so treats it all as active and blocks it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tomhughes @systemed