Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Content security policy error log in UI #6701

Closed
mobyvb opened this issue Jan 18, 2024 · 9 comments
Closed

Content security policy error log in UI #6701

mobyvb opened this issue Jan 18, 2024 · 9 comments
Assignees
@VitaliiShpital

Comments

@mobyvb
Copy link
Member

mobyvb commented Jan 18, 2024
edited

image

This issue appears in unclear conditions. See conversation below for details.

AC:

  • there are no content security policy issues in the UI in any browser
@mobyvb mobyvb mentioned this issue Jan 18, 2024
Closed
@VitaliiShpital
Copy link
Member

CSP error is thrown only on auth pages i.e. login, signup or forgot-password. Also, this error is thrown on v1 app auth pages too. I suspect it's related to hcaptcha

@mobyvb
Copy link
Member Author

mobyvb commented Jan 18, 2024

@VitaliiShpital https://satellite.qa.storj.io/login does not show this error but https://satellite.qa.storj.io/v2/login does
@andriikotko also mentioned that this error was not present in previous releases

@mobyvb
Copy link
Member Author

mobyvb commented Jan 18, 2024

Commenting here that this behavior is not consistent. Vitalii was right that in certain situations, this issue is present in both production and QA, on both V1 and V2.

Vitalii tested with Chrome on Mac, and saw this issue in QA V1 and V2, as well as EU1 V1 and V2
Andrii also tested with Chrome on Mac, and saw the issue only in QA V2.
I tested with Brave on Linux and saw the issue only in QA V2
I also tested with Firefox on Linux and saw the issue in QA V1 and V2, as well as US1 V1 and V2

For now, I am going to remove this from our "required tasks to turn on V2 as default", because it does not appear to break the app. We should still fix the issue, but it is not a blocker.

@mobyvb mobyvb added Priority: Medium Needs Estimation Issue still needs story pointing and removed Priority: High labels Jan 18, 2024
@mobyvb
Copy link
Member Author

mobyvb commented Jan 18, 2024

more useful screenshots from Andrii:

Firefox QA V2:

Image

Firefox QA V1 and prod:

Image

Safari QA V2:

Image

@mobyvb mobyvb changed the title Content security policy error in V2 in QA Content security policy error in UI Jan 18, 2024
@mobyvb mobyvb changed the title Content security policy error in UI Content security policy error log in UI Jan 18, 2024
@mobyvb mobyvb removed Priority: Medium Needs Estimation Issue still needs story pointing labels Jan 18, 2024
@VitaliiShpital VitaliiShpital self-assigned this Jan 19, 2024
@VitaliiShpital
Copy link
Member

VitaliiShpital commented Jan 19, 2024
edited

After investigation I realised that this is related to hcaptcha. If hcaptcha is disabled then errors go away. I tried to update dependency and play with types/sizes but it didn't help.

Also, we have different errors. Guys above provided error messages related to style-src directive. Here is my error in prod app (EU1 - Googe Chrome). It's related to script-src directive
Image

@VitaliiShpital
Copy link
Member

VitaliiShpital commented Jan 19, 2024
edited

the other problem is that I don't get those errors in firefox, safari, opera and brave - EU1 sat and both v1 and v2 apps. I get this ^ error only in google chrome.

Also, I think errors depend on type of the challenge. If there is no challenge then there are no errors and vice-versa

@VitaliiShpital
Copy link
Member

VitaliiShpital commented Jan 19, 2024
edited

official hcaptcha docs have this statement which is a bit suspicious

If you are an enterprise customer and would like to enable additional verification to be performed, you can optionally choose the following CSP strategy:

- unsafe-eval and unsafe-inline should include https://hcaptcha.com, https://*.hcaptcha.com

@VitaliiShpital
Copy link
Member

ok, I figured out style-src violation issue. It was presented by new app loader styles
Image

CC @wilfred-asomanii

@storj-gerrit
Copy link

storj-gerrit bot commented Jan 19, 2024

Change web/satellite/v2: fixed style-src CSP error mentions this issue.

storjBuildBot pushed a commit that referenced this issue Jan 19, 2024
@VitaliiShpital
web/satellite/v2: fixed style-src CSP error
577546a 
Made inline styles to be loaded from file to resolve CSP error

Issue:
#6701

Change-Id: I0d15475d61bf4d0a499ca884b5a4b77decb6de56
ihaid pushed a commit that referenced this issue Jan 30, 2024
@VitaliiShpital @ihaid
web/satellite/v2: fixed style-src CSP error
d436270 
Made inline styles to be loaded from file to resolve CSP error

Issue:
#6701

Change-Id: I0d15475d61bf4d0a499ca884b5a4b77decb6de56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@VitaliiShpital VitaliiShpital

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mobyvb @VitaliiShpital