Blazor Web Assembly Application. Since Duende nuguet package updated (to 6.1.2) when I try to login I got those messages :
Refused to frame 'https://........' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
crbug/1173575, non-JS module files deprecated.
Any clue will be apreciate.
Related
I used react-stripe-checkout npm for making a donation payment page. Everything working fine. But in some browsers, it says Connection is not secure and some browsers don't show any problem on connection.
2nd Problem. In the console, there's showing an error multiple times -
[Report Only] Refused to apply inline style because it violates the
following Content Security Policy directive: "style-src 'self'.
Either the 'unsafe-inline' keyword, a hash ('sha256-vm6IzvFZd99ObdwJODb8jyYg2jyzf6SewoA692PD8/A='), or a nonce ('nonce-...') is required to enable inline execution.
is this Connection is not secure warning showing in the Stripe Checkout page or the website that host your web application? If it's on your website then you might want to check your SSL certification configuration.
The 2nd error is related to the Content Security Policy, you can find the Stripe CSP directives here https://stripe.com/docs/security/guide#content-security-policy
I am trying to configure spring-boot-starter-oauth2-resource-server and spring-boot-starter-oauth2-client in a single app as web_application_and_resource_server. After following these instructions I have the following error:
Error: Caused by: java.lang.IllegalStateException: Web Api do not support authorization_code grant type. id = graph.
I am unsure how to configure the properties for the resource server, I tried the properties below:
azure.activedirectory.tenant-id=###
# Specifies your App Registration's Application ID:
azure.activedirectory.client-id=###
# Specifies your App Registration's secret key:
azure.activedirectory.client-secret=###
azure.activedirectory.application-type = web_application_and_resource_server
#azure.activedirectory.app-id-uri=##
#azure.activedirectory.authorization-clients.api.authorizationGrantType=on_behalf_of
#azure.activedirectory.authorization-clients.api.scopes=https://graph.microsoft.com/User.Read
azure.activedirectory.authorization-clients.graph.authorizationGrantType=authorization_code
azure.activedirectory.authorization-clients.graph.scopes=https://graph.microsoft.com/User.Read,Directory.AccessAsUser.All,offline_access,openid,profile,email
How does the configuration apply to resource server?
With above configuration I receive an error webapi cant accept authorisation code as a granttype which is true.
Is there any specific configuration required at AZure Ad level?
All APIs are within the spring boot application itself. I just need all APIs to be authenticated using the token.
I've implemented the facebook sdk using npm package "react-messenger-customer-chat", which takes pageid and appid as props. I am injecting this code into shopify store (using iframe) using shopify scrpittags api. I've also whitelisted the shopify store domain on my facebook page, still getting this error. Can you please suggest me some solutions.
Check if your page is publicly visible.
We used ZAP 2.8 to scan our angular web application implemented with IdentityServer4 (implicit flow).
It generated a Wildcard Directive alert (show in below), I am not sure it is a security issue or not.
If it is a security issue, what should we do? The OpenID Connect session management endpoint is not part of our app, it is IdentityServer4 build-in functionality. any suggestions? thanks
Medium (Medium) CSP Scanner: Wildcard Directive
Description
The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined:frame-ancestor
URL https://server103.abc.com:54231/services.identity/connect/checksession
Method GET
Parameter Content-Security-Policy
Evidence default-src 'none'; script-src 'sha256-ZT3q7lL9GXNGhPTB1Vvrvds2xw/kOV0zoeok2tiV23I='
The issue is that the frame-ancestors isn't defined.
Per: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
default-src fallback No. Not setting this allows anything.
So even though you did define default-src, frame-ancestors doesn't fallback to it, so since it's unspecified it'll accept anything.
It's up to you (or whoever controls the other component) if that's an issue or not.
​Can someone tell me how to set CORS filter on XS advanced server. Currently all request calls from client application(angular) are rejected with message:
Response to preflight request doesn't pass access control check: No
'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://localhost:4200' is therefore not allowed
access. The response had HTTP status code 403.
XSA don't have .xsaccess file like XS server. By default XSA should accept all CORS requests but this is not the case.
I suppose that your client is angular app and you have some other "backend" app deployed on XSA.
First of all, your "backend" app (java, nodejs,...) should be part of multi target application. When you build this app, you will get .mtar (mulri target archive) which then should be deployed to XSA.
Also you need to create one more module as part of MTA. The module/app type should be html5 type, and commont practice is to call it web
web module acts as an application router and there is a file xs-app.json where you can specify route rules and also cors settings. It is a useful feature because you can manage the securty in that way.