-
Nov 9th, 2021, 03:15 PM
#1
Strange Error
The following page works great on Firefox V56. If scripts are not enabled, the page displays the message and exits.
Code:
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<p><script></script>
<noscript>JavaScript is disabled, please turn on!</noscript>
<!-- -->
</p>
<script src="./test.js"></script>
<script>adjust()</script>
<script>window.location.replace("/")</script>
</head>
But when tested on Firefox V92, I get the following error:
---------------------------------
Content Security Policy: Couldn't process unknown directive script-src-attr
Loading failed for the <script> with source http://192.168.0.4:5197/test.js. 192.168.0.4:5197:1:1
Content Security Policy: The page's settings blocked the loading of a resource at http://192.168.0.4:5197/test.js (script-src). 3
Content Security Policy: Couldn't process unknown directive script-src-elem
Content Security Policy: Couldn't process unknown directive script-src-attr
Content Security Policy: The page's settings blocked the loading of a resource at inline (script-src). 6
---------------------------------
NoScript is being used on both systems to block scripts. When enabled on Firefox V56, it proceeds to execute the script "test.js" properly, but not on V92. It does not give any message at all; it simple doesn't execute "test.js" because it has not been loaded. It has taken quite a while just to figure this much out.
The problem appears to be caused by the version of NoScript used by Firefox V92. Are there modifications I can make to the page file to prevent this error?
J.A. Coutts
-
Nov 9th, 2021, 04:45 PM
#2
Re: Strange Error
What happens if you add the following CSP meta tag:
Code:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
Basically what this should allow is script files to references files from its own origin which is why I think this would work.
P.S. - CSP errors have been a pain in my side for the last couple of weeks, so I feel your pain.
-
Nov 10th, 2021, 05:57 PM
#3
Re: Strange Error
Originally Posted by dday9
What happens if you add the following CSP meta tag:
Code:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
Basically what this should allow is script files to references files from its own origin which is why I think this would work.
P.S. - CSP errors have been a pain in my side for the last couple of weeks, so I feel your pain.
Running it on Version 56 produces:
Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src file://”). Source: adjust().
I ran this on V56 because V92 doesn't appear to support cookies on file loads. It also doesn't allow direct browser access to individual cookies, so I have to use the Developer Tools instead. "CSP: default-src" is supposed to be supported on Firefox V23 or better.
J.A. Coutts
Addendum:
I was finally able to create the Meta tag in VB6, and added it to the page info. It produced the following errors:
--------------------------------
Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src http://localhost:5197”). Source: adjust().
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src http://localhost:5197”). Source: window.location.replace('/').
---------------------------------
Last edited by couttsj; Nov 11th, 2021 at 06:03 PM.
-
Nov 11th, 2021, 06:39 PM
#4
Re: Strange Error
Had some success. Added a Meta Tag:
<meta http-equiv='Content-Security-Policy' content='default-src *'>
as suggested by:
https://www.cloudbees.com/blog/how-t...ecurity-policy
and the problem went away. Of course, this is not a good policy, but at least it is a start.
J.A. Coutts
Last edited by couttsj; Nov 11th, 2021 at 06:44 PM.
-
Nov 11th, 2021, 09:34 PM
#5
Re: Strange Error
That’s sort of what I was getting at with “self” which is why I’m surprised that it didn’t work.
-
Nov 12th, 2021, 12:36 PM
#6
Re: Strange Error
Originally Posted by dday9
That’s sort of what I was getting at with “self” which is why I’m surprised that it didn’t work.
What this tells me is that newer versions of Firefox block script sources by default, and have to specifically be authorized. I assume that Chrome and Edge do the same, but I cannot confirm that. If I am wrong, please let me know.
J.A. Coutts
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|