I've been stuck with this for days and finally decided to ask out. I've read dozens of issues, pages here but none of them solved my problem. I have an application built on top of this boilerplate: https://github.com/codesbiome/electron-react-webpack-typescript-2022 (the boilerplate isn't important as much, but there are some webpack configs there). I've read the documentation and it says that I should define a protocol for rendering images in this case, like this
app.whenReady().then(() => {
protocol.registerFileProtocol('atom', (request, callback) => {
const filePath = url.fileURLToPath(
'file://' + request.url.slice('atom://'.length),
);
callback(filePath);
});
});
This responds with an error "refused to load resource", even with content security policy set like this:
<meta
http-equiv="Content-Security-Policy"
content="
worker-src atom:;
child-src atom: gap:;
img-src 'self' atom: data:;
default-src * 'self' 'unsafe-inline' 'unsafe-eval' data: gap: content:"
/>
If I change atom to something like blob or file it errors with "it is not allowed to load resource".
I'm rendering it inside react, like this
const image_path = `atom://${image.path}`;
<img src={image_path} />
Turning off security doesn't work, and even if it did I don't find it as an acceptable answer. I'm trying to read the file off of the local machine and I've looked up how some other applications that use electron are doing it (by uploading it to their servers). But I'm still wondering if something like this was even possible without an additional server as I want the app to work offline. Thank you.
Related
I have been trying to load images using webpack, but somehow it's not working.
here's the related code
{ test: /\.(jpe?g|png|gif)$/i, loader: 'file-loader?name=[name].[ext]' },
and here's one example of the component where the image should load
<ListItem
leftAvatar={
<Avatar src="assets/images-demo/avatars/128.jpg" />
}
but when the page loads, I get
http://localhost:8080/assets/images-demo/avatars/128.jpg 404 (Not Found)
In the network tab, I see the type of the images as text/html, (not sure why) and I see the initiator as DOMLazyTree. so, could you give me an idea of what's going wrong here?
I'm getting this error in the console:
Refused to load the font 'data:font/woff;base64,d09GRgABAAAAAGVUABEAAAAAxuQAAQABAAAAAAAAAAAAAAAAAAAAA…eLo4GBkcWhIzkkAqQkEggceHw5HFkM2VRZJFlYebR2MP5v3cDSu5GJwWUDW9xG1hQXAFAmKZU=' because it violates the following Content Security Policy directive: "font-src *".
My Content-Security-Policy meta tag looks like this:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; font-src *; script-src * 'unsafe-inline' 'unsafe-eval'; child-src *">
What would be the issue?
Star isn't quite the wildcard you'd think it is in Content Security Policy. You have to manually specify certain directives including data: and blob:. Star will match any domain but not any protocol.
Adding data: to font-src list will let the font load. (Additionally I would remove the asterisk to trust as few things as possible).
In chrome app I am trying to load images from external link but getting error
Refused to load the image
'unsafe:https://www.google.co.in/images/srpr/logo11w.png' because it
violates the following Content Security Policy directive: "img-src
'self' blob: filesystem: data: chrome-extension-resource:
I already added content_security_policy in manifest.json file
"content_security_policy": "img-src 'self' https://www.google.co.in/ blob: filesystem: data: chrome-extension-resource:;"
and
also explicitly added URL protocols to Angular's whitelist using a regular expression
.config(['$compileProvider',
function ($compileProvider) {
var currentImgSrcSanitizationWhitelist = $compileProvider.imgSrcSanitizationWhitelist();
var newImgSrcSanitizationWhiteList = currentImgSrcSanitizationWhitelist.toString().slice(0, -1)
+ '|chrome-extension:'
+ currentImgSrcSanitizationWhitelist.toString().slice(-1);
console.log("Changing imgSrcSanitizationWhiteList from " + currentImgSrcSanitizationWhitelist + " to " + newImgSrcSanitizationWhiteList);
$compileProvider.imgSrcSanitizationWhitelist(newImgSrcSanitizationWhiteList);
}
]);
but still error is there.
You cannot override CSP for Chrome Apps (that key is only for extensions).
You will need to adapt your App to fetch then locally cache the images - you can't embed them directly. See Google's guide on Referencing external resources.
Also, take another look at this question - if you're getting unsafe: in your URLs you aren't doing it correctly.
I've run a pen test tool (Burp) against my node(express)/angular application and it identified a reflected XSS vulnerability specifically when attempting a GET request for static assets (noticeably vulnerabilities were not found for any of the requests being made when a user interacts with the application).
The issue detail is:
The name of an arbitrarily supplied URL parameter is copied into a
JavaScript expression which is not encapsulated in any quotation
marks. The payload 41b68(a)184a9=1 was submitted in the name of an
arbitrarily supplied URL parameter. This input was echoed unmodified
in the application's response.
This behavior demonstrates that it is possible to inject JavaScript
commands into the returned document. An attempt was made to identify a
full proof-of-concept attack for injecting arbitrary JavaScript but
this was not successful. You should manually examine the application's
behavior and attempt to identify any unusual input validation or other
obstacles that may be in place.
The vulnerability was tested by passing an arbitrary url parameter to the request like so:
GET /images/?41b68(a)184a9=1
The response was:
HTTP/1.1 404 Not Found
X-Content-Security-Policy: connect-src 'self'; default-src 'self'; font-src 'self'; frame-src; img-src 'self' *.google-analytics.com; media-src; object-src; script-src 'self' 'unsafe-eval' *.google-analytics.com; style-src 'self' 'unsafe-inline'
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Strict-Transport-Security: max-age=10886400; includeSubDomains; preload
X-Download-Options: noopen
X-Content-Type-Options: nosniff
Content-Type: text/html; charset=utf-8
Content-Length: 52
Date: Wed, 08 Oct 2015 10:46:43 GMT
Connection: close
Cannot GET /images/?41b68(a)184a9=1
You can see that I have CSP in place (using Helmet to implement) and other protections against exploits. The app is served over https, but no user auth is required. CSP restricts request to the app's domain only plus google analytics.
The pen test report advises validating input (I am, but surely that would make requests including data sent by a user unsafe if I wasn't?), and encoding html which angular does by default.
I'm really struggling to find a solution to preventing or mitigating this for those requests for static assets:
Should I whitelist all requests for my application under csp?
Can I even do this, or will it only whitelist domains?
Can/should all responses from node/express to requests for static assets be encoded in some way?
The report states that "The name of an arbitrarily supplied URL parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks". Could this expression be somewhere in the express code that handles returning static assets?
Or that GET request param can somehow be evaluated in my application code?
Update
Having done some investigation into this it seems that at least part of the mitigation is to escape data in url param values and sanitize the input in the url.
Escaping of the url is already in place so:
curl 'http://mydomain/images/?<script>alert('hello')</script>'
returns
Cannot GET /images/?<script>alert(hello)</script>
I've also put express-sanitized in place on top of this.
However, if I curl the original test the request param is still reflected back.
curl 'http://mydomain/images/?41b68(a)184a9=1'
Cannot GET /images/?41b68(a)184a9=1
Which you would expect because html is not being inserted into the url.
The responses to GET requests for static assets are all handled by app.use(express.static('static-dir')) so the query is passed into this. express.static is based on serve-static which depends on parseurl.
The cause of the issue is that for invalid GET requests express will return something like:
Cannot GET /pathname/?yourQueryString
Which in many cases is a valid response, even for serving static assets. However, in my case and I'm sure for others the only valid requests for static assets will be something like:
GET /pathname/your-file.jpg
I have a custom 404 handler that returns a data object:
var data = {
status: 404,
message: 'Not Found',
description: description,
url: req.url
};
This is only handled for invalid template requests in app.js with:
app.use('/template-path/*', function(req, res, next) {
custom404.send404(req, res);
});
I've now added explicit handlers for requests to static folders:
app.use('/static-path/*', function(req, res, next) {
custom404.send404(req, res);
});
Optionally I could also strip out request query params before the 404 is returned:
var data = {
status: 404,
message: 'Not Found',
description: description,
url: url.parse(req.url).pathname // needs a var url = require('url')
};
I'm getting the following error in one of my functions on ionic:
Error: [$interpolate:interr] Can't interpolate: {{detailMl.file}}
Error: [$sce:insecurl] Blocked loading resource from url not allowed by $sceDelegate policy. URL: http://192.168.1.105/sonschool/upload/mm_learning/44ec994b4e8892932d979ac93d045fa0.pdf
http://errors.angularjs.org/1.3.13/$sce/insecurl?p0=http%3A%2F%2F192.168.1.…%2Fsonschool%2Fupload%2Fmm_learning%2F44ec994b4e8892932d979ac93d045fa0.pdf
http://errors.angularjs.org/1.3.13/$interpolate/interr?p0=%7B%7BdetailMl.fi…school%252Fupload%252Fmm_learning%252F44ec994b4e8892932d979ac93d045fa0.pdf
at REGEX_STRING_REGEXP (ionic.bundle.js:8890)
at parseStringifyInterceptor (ionic.bundle.js:19022)
at regularInterceptedExpression (ionic.bundle.js:21679)
at Object.expressionInputWatch (ionic.bundle.js:21583)
at Scope.$get.Scope.$digest (ionic.bundle.js:23062)
at Scope.$get.Scope.$apply (ionic.bundle.js:23333)
at done (ionic.bundle.js:18486)
at completeRequest (ionic.bundle.js:18676)
at XMLHttpRequest.requestLoaded (ionic.bundle.js:18617)
help me please..
this code work :
$scope.pdfURL = "school.pdf";
and then i change this code with:
var baseUrl = 'http://192.168.1.105/sonschool/api/';
$http.get(baseUrl+'ambilDetailML/?id='+$stateParams.mlId).success(function(dataML) {
//console.log(dataML);
$scope.pdfURL = dataML.url_pdf;
});
Any idea about what might be causing the error?
In order to be able to use external resource you have to whitelist them (that's why the local 'school.pdf' file works and the one using IP doesn't). The tutorial on how to do this can be found here.
But, shortly, you should install the cordova-plugin-whitelist plugin and add
the following to your www/index.html file right below the other meta tags:
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'">